Edit tour

Windows Analysis Report
90ZF1EDs9h.exe

Overview

General Information

Sample name:	90ZF1EDs9h.exe renamed because original name is a hash value
Original sample name:	9437d6cf2745f8683c3aa908e01b03cf.exe
Analysis ID:	1461305
MD5:	9437d6cf2745f8683c3aa908e01b03cf
SHA1:	4b954d00882c8249d11b61440976b2993ae4738a
SHA256:	d3d0eeab1a06460ed303b065248db53d47bfd5c253324b0d2f9efcc2dc700a47
Tags:	32exetrojan
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RisePro Stealer

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Found stalling execution ending in API Sleep call

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Potentially malicious time measurement code found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

90ZF1EDs9h.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\90ZF1EDs9h.exe" MD5: 9437D6CF2745F8683C3AA908E01B03CF)

schtasks.exe (PID: 7452 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7500 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MPGPH131.exe (PID: 7552 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 9437D6CF2745F8683C3AA908E01B03CF)

MPGPH131.exe (PID: 7560 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 9437D6CF2745F8683C3AA908E01B03CF)

RageMP131.exe (PID: 7872 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 9437D6CF2745F8683C3AA908E01B03CF)

RageMP131.exe (PID: 7132 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 9437D6CF2745F8683C3AA908E01B03CF)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: 90ZF1EDs9h.exe PID: 7300	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 7552	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 7560	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7872	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7132	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\90ZF1EDs9h.exe, ProcessId: 7300, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Snort Signatures

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/23/24-18:37:04.646362
SID:	2046269
Source Port:	49732
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/23/24-18:37:07.646023
SID:	2046269
Source Port:	49731
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/23/24-18:37:06.583631
SID:	2046269
Source Port:	49747
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/23/24-18:34:58.970157
SID:	2049060
Source Port:	49731
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-18:35:36.288691
SID:	2046267
Source Port:	58709
Destination Port:	49747
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/23/24-18:37:05.458696
SID:	2046269
Source Port:	49735
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-18:35:02.465607
SID:	2046266
Source Port:	58709
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-18:35:21.729696
SID:	2046266
Source Port:	58709
Destination Port:	49747
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-18:34:59.553336
SID:	2046266
Source Port:	58709
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-18:35:03.603959
SID:	2046266
Source Port:	58709
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/23/24-18:37:04.786800
SID:	2046269
Source Port:	49733
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-18:35:13.471006
SID:	2046266
Source Port:	58709
Destination Port:	49735
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-18:35:12.390867
SID:	2046267
Source Port:	58709
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-18:35:13.312009
SID:	2046267
Source Port:	58709
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-18:35:14.392680
SID:	2046267
Source Port:	58709
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-18:35:28.664022
SID:	2046267
Source Port:	58709
Destination Port:	49735
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 50%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Virustotal: Detection: 53%	Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Virustotal: Detection: 53%	Perma Link

Multi AV Scanner detection for submitted file

Source: 90ZF1EDs9h.exe

Virustotal: Detection: 53%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 90ZF1EDs9h.exe

Joe Sandbox ML: detected

Source: 90ZF1EDs9h.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49751 version: TLS 1.2

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49731 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49731
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49731 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49733
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49733 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49731
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49735
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49733
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49735 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49747
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49747 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49735
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49747

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 77.91.77.66:58709

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 104.26.5.15 104.26.5.15
Source: Joe Sandbox View	IP Address: 77.91.77.66 77.91.77.66

Source: Joe Sandbox View

ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

Code function: 0_2_00049280 recv,WSASend,

0_2_00049280

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com

Source: 90ZF1EDs9h.exe, 00000000.00000003.1654226982.0000000004960000.00000004.00001000.00020000.00000000.sdmp, 90ZF1EDs9h.exe, 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1681138634.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1681761352.00000000049E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1788309686.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000003.1867802367.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2967167251.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302053976.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2319159509.0000000000E53000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000E54000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
Source: MPGPH131.exe, 00000005.00000002.2965341053.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33$
Source: MPGPH131.exe, 00000005.00000002.2967167251.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302053976.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33S
Source: RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/l/.
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33J
Source: RageMP131.exe, RageMP131.exe, 00000009.00000002.2964515667.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2319200721.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/W&
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000E01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/alj
Source: 90ZF1EDs9h.exe, 00000000.00000003.1654226982.0000000004960000.00000004.00001000.00020000.00000000.sdmp, 90ZF1EDs9h.exe, 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1681138634.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1681761352.00000000049E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1788309686.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000003.1867802367.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/s
Source: RageMP131.exe, 00000009.00000002.2964515667.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/tuO
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B86000.00000004.00000020.00020000.00000000.sdmp, 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D3F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
Source: RageMP131.exe, 00000007.00000002.2965177153.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33#H
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33H
Source: MPGPH131.exe, 00000005.00000002.2965341053.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33q
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33~
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT8?
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTz
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro
Source: MPGPH131.exe, 00000005.00000002.2967167251.0000000000D84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/riseproD
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/riseproF
Source: RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot
Source: RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botA$
Source: RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botGc
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botSS
Source: RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botj/
Source: RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botp
Source: 90ZF1EDs9h.exe, 00000000.00000002.2975858179.0000000007720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.v
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49751 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: 90ZF1EDs9h.exe	Static PE information: section name:
Source: 90ZF1EDs9h.exe	Static PE information: section name: .idata
Source: 90ZF1EDs9h.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_0007A928	0_2_0007A928
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_0007C960	0_2_0007C960
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_000771A0	0_2_000771A0
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_0008DA86	0_2_0008DA86
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_0008036F	0_2_0008036F
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_00098BB0	0_2_00098BB0
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_0012FC40	0_2_0012FC40
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_0006F580	0_2_0006F580
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_000947BF	0_2_000947BF
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_00132FD0	0_2_00132FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001CA928	5_2_001CA928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001CC960	5_2_001CC960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001C71A0	5_2_001C71A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001DDA86	5_2_001DDA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001D036F	5_2_001D036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001E8BB0	5_2_001E8BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0027FC40	5_2_0027FC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001BF580	5_2_001BF580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001E47BF	5_2_001E47BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00282FD0	5_2_00282FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001CA928	6_2_001CA928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001CC960	6_2_001CC960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001C71A0	6_2_001C71A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001DDA86	6_2_001DDA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001D036F	6_2_001D036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001E8BB0	6_2_001E8BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0027FC40	6_2_0027FC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001BF580	6_2_001BF580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001E47BF	6_2_001E47BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00282FD0	6_2_00282FD0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_0041C960	7_2_0041C960
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_0041A928	7_2_0041A928
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_004171A0	7_2_004171A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_0042DA86	7_2_0042DA86
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_0042036F	7_2_0042036F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00438BB0	7_2_00438BB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_004CFC40	7_2_004CFC40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_0040F580	7_2_0040F580
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00432610	7_2_00432610
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_004D2FD0	7_2_004D2FD0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_004347BF	7_2_004347BF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_0041C960	9_2_0041C960
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_0041A928	9_2_0041A928
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_004171A0	9_2_004171A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_0042DA86	9_2_0042DA86
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_0042036F	9_2_0042036F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_00438BB0	9_2_00438BB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_004CFC40	9_2_004CFC40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_0040F580	9_2_0040F580
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_00432610	9_2_00432610
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_004D2FD0	9_2_004D2FD0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_004347BF	9_2_004347BF

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: String function: 00414380 appears 48 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 001C4380 appears 48 times

Source: 90ZF1EDs9h.exe, 00000000.00000000.1647503267.00000000001CA000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedotnet.exe6 vs 90ZF1EDs9h.exe
Source: 90ZF1EDs9h.exe	Binary or memory string: OriginalFilenamedotnet.exe6 vs 90ZF1EDs9h.exe

Source: 90ZF1EDs9h.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 90ZF1EDs9h.exe	Static PE information: Section: ZLIB complexity 0.998056854470803
Source: 90ZF1EDs9h.exe	Static PE information: Section: pobzuwwq ZLIB complexity 0.9947049260853293
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.998056854470803
Source: RageMP131.exe.0.dr	Static PE information: Section: pobzuwwq ZLIB complexity 0.9947049260853293
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.998056854470803
Source: MPGPH131.exe.0.dr	Static PE information: Section: pobzuwwq ZLIB complexity 0.9947049260853293

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/5@2/3

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 90ZF1EDs9h.exe, 00000000.00000003.1654226982.0000000004960000.00000004.00001000.00020000.00000000.sdmp, 90ZF1EDs9h.exe, 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1681138634.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1681761352.00000000049E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1788309686.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000003.1867802367.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 90ZF1EDs9h.exe, 00000000.00000003.1654226982.0000000004960000.00000004.00001000.00020000.00000000.sdmp, 90ZF1EDs9h.exe, 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1681138634.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1681761352.00000000049E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1788309686.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000003.1867802367.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: 90ZF1EDs9h.exe

Virustotal: Detection: 53%

Source: 90ZF1EDs9h.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 90ZF1EDs9h.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

File read: C:\Users\user\Desktop\90ZF1EDs9h.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\90ZF1EDs9h.exe "C:\Users\user\Desktop\90ZF1EDs9h.exe"
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll	Jump to behavior

Source: 90ZF1EDs9h.exe

Static file information: File size 2432512 > 1048576

Source: 90ZF1EDs9h.exe

Static PE information: Raw size of pobzuwwq is bigger than: 0x100000 < 0x1a1800

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Unpacked PE file: 0.2.90ZF1EDs9h.exe.40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 5.2.MPGPH131.exe.190000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 6.2.MPGPH131.exe.190000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 7.2.RageMP131.exe.3e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 9.2.RageMP131.exe.3e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: RageMP131.exe.0.dr	Static PE information: real checksum: 0x25d952 should be: 0x253833
Source: MPGPH131.exe.0.dr	Static PE information: real checksum: 0x25d952 should be: 0x253833
Source: 90ZF1EDs9h.exe	Static PE information: real checksum: 0x25d952 should be: 0x253833

Source: 90ZF1EDs9h.exe	Static PE information: section name:
Source: 90ZF1EDs9h.exe	Static PE information: section name: .idata
Source: 90ZF1EDs9h.exe	Static PE information: section name:
Source: 90ZF1EDs9h.exe	Static PE information: section name: pobzuwwq
Source: 90ZF1EDs9h.exe	Static PE information: section name: bxltxemr
Source: 90ZF1EDs9h.exe	Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: pobzuwwq
Source: RageMP131.exe.0.dr	Static PE information: section name: bxltxemr
Source: RageMP131.exe.0.dr	Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: pobzuwwq
Source: MPGPH131.exe.0.dr	Static PE information: section name: bxltxemr
Source: MPGPH131.exe.0.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_00073F59 push ecx; ret	0_2_00073F6C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001C3F59 push ecx; ret	5_2_001C3F6C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001C3F59 push ecx; ret	6_2_001C3F6C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00413F59 push ecx; ret	7_2_00413F6C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_04F808D0 push cs; iretd	7_2_04F808DA
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_00413F59 push ecx; ret	9_2_00413F6C

Source: 90ZF1EDs9h.exe	Static PE information: section name: entropy: 7.980016205845924
Source: 90ZF1EDs9h.exe	Static PE information: section name: pobzuwwq entropy: 7.953477305499687
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.980016205845924
Source: RageMP131.exe.0.dr	Static PE information: section name: pobzuwwq entropy: 7.953477305499687
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.980016205845924
Source: MPGPH131.exe.0.dr	Static PE information: section name: pobzuwwq entropy: 7.953477305499687

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Stalling execution: Execution stalls by calling Sleep	graph_0-16297
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Stalling execution: Execution stalls by calling Sleep	graph_5-18440
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Stalling execution: Execution stalls by calling Sleep

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 1D0B72 second address: 1D0B78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 1D0B78 second address: 1D0B7D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 338A6D second address: 338AB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB6h 0x00000007 jo 00007F7374772AA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 jmp 00007F7374772AB1h 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a jmp 00007F7374772AB5h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3499FB second address: 3499FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C045 second address: 1D0B72 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7374772AA8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 2ED4FAD4h 0x00000013 or cl, FFFFFFF2h 0x00000016 push dword ptr [ebp+122D12B5h] 0x0000001c add dword ptr [ebp+122D2BC2h], edi 0x00000022 mov edi, dword ptr [ebp+122D3794h] 0x00000028 call dword ptr [ebp+122D1BF2h] 0x0000002e pushad 0x0000002f jnp 00007F7374772ABDh 0x00000035 jmp 00007F7374772AB7h 0x0000003a xor eax, eax 0x0000003c cmc 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 jmp 00007F7374772AB3h 0x00000046 mov dword ptr [ebp+122D38D4h], eax 0x0000004c mov dword ptr [ebp+122D19F2h], ecx 0x00000052 mov esi, 0000003Ch 0x00000057 add dword ptr [ebp+122D19F2h], eax 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 pushad 0x00000062 mov dword ptr [ebp+122D19F2h], esi 0x00000068 jg 00007F7374772AACh 0x0000006e popad 0x0000006f lodsw 0x00000071 jmp 00007F7374772AAAh 0x00000076 add eax, dword ptr [esp+24h] 0x0000007a jne 00007F7374772AB8h 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 cld 0x00000085 nop 0x00000086 push eax 0x00000087 push edx 0x00000088 push eax 0x00000089 push edx 0x0000008a jmp 00007F7374772AB2h 0x0000008f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C1BC second address: 34C1E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F737512BAEAh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F737512BAF1h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C1E2 second address: 34C1EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F7374772AA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C1EC second address: 34C226 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov edx, 6DE091C7h 0x00000011 push 00000000h 0x00000013 jl 00007F737512BAECh 0x00000019 mov dword ptr [ebp+122D1824h], eax 0x0000001f push 8D57C73Ch 0x00000024 push eax 0x00000025 push edx 0x00000026 push edi 0x00000027 js 00007F737512BAE6h 0x0000002d pop edi 0x0000002e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C226 second address: 34C22C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C22C second address: 34C230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C230 second address: 34C234 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C234 second address: 34C2A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 72A83944h 0x0000000f jmp 00007F737512BAF6h 0x00000014 push 00000003h 0x00000016 mov dword ptr [ebp+122D18F7h], edx 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007F737512BAE8h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 00000017h 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 call 00007F737512BAEBh 0x0000003d sub dword ptr [ebp+122D2BB5h], edx 0x00000043 pop esi 0x00000044 push 00000003h 0x00000046 mov ecx, edx 0x00000048 call 00007F737512BAE9h 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C2A6 second address: 34C2AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C2AA second address: 34C2C7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F737512BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jp 00007F737512BAECh 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C2C7 second address: 34C2CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C2CB second address: 34C2E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c pushad 0x0000000d jbe 00007F737512BAE6h 0x00000013 jp 00007F737512BAE6h 0x00000019 popad 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C2E8 second address: 34C2F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C2F6 second address: 34C3B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007F737512BAF8h 0x00000012 pop eax 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F737512BAE8h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d call 00007F737512BAF6h 0x00000032 pushad 0x00000033 jnc 00007F737512BAE6h 0x00000039 pushad 0x0000003a popad 0x0000003b popad 0x0000003c pop edi 0x0000003d mov esi, 611F30B0h 0x00000042 lea ebx, dword ptr [ebp+1244EF7Ch] 0x00000048 push 00000000h 0x0000004a push eax 0x0000004b call 00007F737512BAE8h 0x00000050 pop eax 0x00000051 mov dword ptr [esp+04h], eax 0x00000055 add dword ptr [esp+04h], 00000016h 0x0000005d inc eax 0x0000005e push eax 0x0000005f ret 0x00000060 pop eax 0x00000061 ret 0x00000062 pushad 0x00000063 mov ecx, dword ptr [ebp+122D3828h] 0x00000069 mov ebx, dword ptr [ebp+122D3067h] 0x0000006f popad 0x00000070 sub dword ptr [ebp+122D1BB1h], ecx 0x00000076 xchg eax, ebx 0x00000077 jnl 00007F737512BAF2h 0x0000007d je 00007F737512BAECh 0x00000083 push eax 0x00000084 push edx 0x00000085 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C3B9 second address: 34C3CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7374772AAAh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C3CB second address: 34C3CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C3CF second address: 34C3D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C3D9 second address: 34C3DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 36AC68 second address: 36AC94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F7374772AA6h 0x0000000a jmp 00007F7374772AADh 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 jmp 00007F7374772AAAh 0x00000017 jl 00007F7374772AB2h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 36B336 second address: 36B33C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 36B33C second address: 36B345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 36B9BD second address: 36B9C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 36B9C2 second address: 36B9D8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7374772AACh 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F7374772AA6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 36BB3C second address: 36BB76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F737512BAF1h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F737512BB01h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 36C581 second address: 36C58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 36C58B second address: 36C59B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F737512BAE6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 372EF1 second address: 372EF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 333AEC second address: 333AFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F737512BAEDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 333AFD second address: 333B11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 373C96 second address: 373CB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F737512BAE8h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 374416 second address: 37441C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37441C second address: 374422 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37908C second address: 37909C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007F7374772AA6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 378771 second address: 378776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 378776 second address: 37877C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37877C second address: 378780 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 378BDD second address: 378BE7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7374772AA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 378ED4 second address: 378EDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 378EDD second address: 378EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 378EE1 second address: 378EE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 378EE5 second address: 378F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7374772AA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7374772AB1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 378F04 second address: 378F2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F737512BAE6h 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37AEE6 second address: 37AEFD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jc 00007F7374772AA6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007F7374772AA6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37AEFD second address: 37AF07 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F737512BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37AF91 second address: 37AF9B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7374772AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37AF9B second address: 37AFA0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37B0C4 second address: 37B0C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37B6C2 second address: 37B6C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37B6C8 second address: 37B6E8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7374772AA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F7374772AAFh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37C114 second address: 37C11D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37C19E second address: 37C1B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37C1B2 second address: 37C20A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F737512BAEBh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F737512BAE8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 xor dword ptr [ebp+122D18F7h], esi 0x0000002e jmp 00007F737512BAECh 0x00000033 or di, 3297h 0x00000038 push eax 0x00000039 jp 00007F737512BAEEh 0x0000003f push ebx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37C6A2 second address: 37C6A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37C6A8 second address: 37C6AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37D0A1 second address: 37D0A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37D0A5 second address: 37D0AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37CF1B second address: 37CF21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37D0AB second address: 37D0C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37D0C5 second address: 37D157 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F7374772AA8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 movsx edi, bx 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ebp 0x0000002c call 00007F7374772AA8h 0x00000031 pop ebp 0x00000032 mov dword ptr [esp+04h], ebp 0x00000036 add dword ptr [esp+04h], 00000016h 0x0000003e inc ebp 0x0000003f push ebp 0x00000040 ret 0x00000041 pop ebp 0x00000042 ret 0x00000043 xor edi, dword ptr [ebp+122D3830h] 0x00000049 push 00000000h 0x0000004b jmp 00007F7374772AB0h 0x00000050 xchg eax, ebx 0x00000051 jl 00007F7374772AB7h 0x00000057 push eax 0x00000058 jnl 00007F7374772AAEh 0x0000005e push esi 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37ED09 second address: 37ED27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pushad 0x00000007 jmp 00007F737512BAF3h 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37EAA6 second address: 37EAAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37ED27 second address: 37EDC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F737512BAE8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 push esi 0x00000026 add dword ptr [ebp+122D2BC7h], ecx 0x0000002c pop esi 0x0000002d mov dword ptr [ebp+122D2B0Fh], esi 0x00000033 push 00000000h 0x00000035 jnp 00007F737512BAECh 0x0000003b mov dword ptr [ebp+122D2F8Bh], edx 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push esi 0x00000046 call 00007F737512BAE8h 0x0000004b pop esi 0x0000004c mov dword ptr [esp+04h], esi 0x00000050 add dword ptr [esp+04h], 0000001Dh 0x00000058 inc esi 0x00000059 push esi 0x0000005a ret 0x0000005b pop esi 0x0000005c ret 0x0000005d mov edi, 1D3373FBh 0x00000062 xchg eax, ebx 0x00000063 jmp 00007F737512BAF3h 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007F737512BAEAh 0x00000070 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37EAAA second address: 37EAAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37EAAE second address: 37EAB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37F82F second address: 37F833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37EAB4 second address: 37EABE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F737512BAE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37F5CE second address: 37F5D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37F833 second address: 37F877 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a adc di, 9C7Ch 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F737512BAE8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b mov si, 2D54h 0x0000002f push 00000000h 0x00000031 xor edi, 5BA521C3h 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jns 00007F737512BAE6h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37F877 second address: 37F87D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3802C8 second address: 3802CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38005D second address: 380065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3802CC second address: 380314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F737512BAE8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov esi, dword ptr [ebp+1247D45Bh] 0x0000002a push 00000000h 0x0000002c mov si, dx 0x0000002f push 00000000h 0x00000031 mov di, dx 0x00000034 mov esi, dword ptr [ebp+122D38F4h] 0x0000003a push eax 0x0000003b jc 00007F737512BAF0h 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3817F0 second address: 38183E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jnl 00007F7374772AB9h 0x0000000e nop 0x0000000f movsx edi, bx 0x00000012 push 00000000h 0x00000014 mov edi, dword ptr [ebp+122D392Ch] 0x0000001a push 00000000h 0x0000001c xchg eax, ebx 0x0000001d jmp 00007F7374772AB8h 0x00000022 push eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 380B3F second address: 380B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 380B48 second address: 380B4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3820FF second address: 382103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38927A second address: 389282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 389282 second address: 389292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F737512BAE6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38753D second address: 387542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 389861 second address: 389866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38A850 second address: 38A86A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jp 00007F7374772AA8h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 je 00007F7374772AACh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3899D4 second address: 389A87 instructions: 0x00000000 rdtsc 0x00000002 js 00007F737512BAE8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e jmp 00007F737512BAEEh 0x00000013 pop edi 0x00000014 nop 0x00000015 jmp 00007F737512BAF4h 0x0000001a push dword ptr fs:[00000000h] 0x00000021 jmp 00007F737512BAF5h 0x00000026 mov dword ptr fs:[00000000h], esp 0x0000002d jmp 00007F737512BAF6h 0x00000032 mov eax, dword ptr [ebp+122D0C2Dh] 0x00000038 js 00007F737512BAE7h 0x0000003e cmc 0x0000003f push FFFFFFFFh 0x00000041 push 00000000h 0x00000043 push edi 0x00000044 call 00007F737512BAE8h 0x00000049 pop edi 0x0000004a mov dword ptr [esp+04h], edi 0x0000004e add dword ptr [esp+04h], 0000001Ch 0x00000056 inc edi 0x00000057 push edi 0x00000058 ret 0x00000059 pop edi 0x0000005a ret 0x0000005b nop 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F737512BAF2h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38A86A second address: 38A8C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7374772AB4h 0x00000009 popad 0x0000000a nop 0x0000000b mov dword ptr [ebp+1244A37Ch], ecx 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 mov ebx, 58271747h 0x00000019 pop edi 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007F7374772AA8h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 0000001Bh 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 push eax 0x00000037 js 00007F7374772AB0h 0x0000003d pushad 0x0000003e pushad 0x0000003f popad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 389A87 second address: 389AAD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F737512BAF8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jng 00007F737512BAECh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38C834 second address: 38C83B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38BA1C second address: 38BA35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F737512BAF4h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38C83B second address: 38C862 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7374772AAEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38BA35 second address: 38BAD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a cld 0x0000000b push dword ptr fs:[00000000h] 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F737512BAE8h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c call 00007F737512BAECh 0x00000031 mov di, 403Ch 0x00000035 pop ebx 0x00000036 mov ebx, dword ptr [ebp+122D3864h] 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 push 00000000h 0x00000045 push ebx 0x00000046 call 00007F737512BAE8h 0x0000004b pop ebx 0x0000004c mov dword ptr [esp+04h], ebx 0x00000050 add dword ptr [esp+04h], 00000015h 0x00000058 inc ebx 0x00000059 push ebx 0x0000005a ret 0x0000005b pop ebx 0x0000005c ret 0x0000005d mov eax, dword ptr [ebp+122D031Dh] 0x00000063 mov di, B200h 0x00000067 push FFFFFFFFh 0x00000069 pushad 0x0000006a movzx edx, bx 0x0000006d mov edx, dword ptr [ebp+122D1C68h] 0x00000073 popad 0x00000074 push eax 0x00000075 jc 00007F737512BAEEh 0x0000007b push edi 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38C862 second address: 38C868 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 391CEC second address: 391CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 390F33 second address: 390FA7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7374772AA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ebx, dword ptr [ebp+122D2935h] 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov di, E382h 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push ebp 0x00000028 call 00007F7374772AA8h 0x0000002d pop ebp 0x0000002e mov dword ptr [esp+04h], ebp 0x00000032 add dword ptr [esp+04h], 00000015h 0x0000003a inc ebp 0x0000003b push ebp 0x0000003c ret 0x0000003d pop ebp 0x0000003e ret 0x0000003f mov ebx, dword ptr [ebp+1244B59Dh] 0x00000045 mov eax, dword ptr [ebp+122D0DD5h] 0x0000004b push FFFFFFFFh 0x0000004d jmp 00007F7374772AB7h 0x00000052 nop 0x00000053 jo 00007F7374772AB0h 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 393C52 second address: 393C75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F737512BAF8h 0x00000008 ja 00007F737512BAE6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3304C9 second address: 3304CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3304CD second address: 3304D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3942EB second address: 3942F1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3942F1 second address: 394368 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov ebx, dword ptr [ebp+122D1882h] 0x00000010 push 00000000h 0x00000012 mov bl, E7h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F737512BAE8h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 call 00007F737512BAF2h 0x00000035 mov dword ptr [ebp+122D2AF9h], esi 0x0000003b pop ebx 0x0000003c push eax 0x0000003d jng 00007F737512BB02h 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F737512BAF4h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 391EED second address: 391EF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F7374772AA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 39632F second address: 396333 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 396333 second address: 396339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 396339 second address: 396353 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F737512BAF5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 39826B second address: 398270 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 398270 second address: 3982E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F737512BAEEh 0x00000010 jne 00007F737512BAF6h 0x00000016 popad 0x00000017 nop 0x00000018 mov di, 61E9h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007F737512BAE8h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 0000001Dh 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 mov dword ptr [ebp+1244D8C8h], esi 0x0000003e push 00000000h 0x00000040 mov ebx, dword ptr [ebp+122D37A8h] 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 push esi 0x00000049 ja 00007F737512BAE6h 0x0000004f pop esi 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3982E8 second address: 3982EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3991FC second address: 39921A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F737512BAF9h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3954CB second address: 3954D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 39A248 second address: 39A24D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 39C30E second address: 39C313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 39C313 second address: 39C320 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F737512BAE6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3A39E0 second address: 3A39E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3A39E6 second address: 3A39EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3A3575 second address: 3A357F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7374772AA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3A357F second address: 3A3585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 39A388 second address: 39A38C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3A6EE1 second address: 1D0B72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e jg 00007F737512BAE8h 0x00000014 jmp 00007F737512BAECh 0x00000019 popad 0x0000001a pop eax 0x0000001b jmp 00007F737512BAF3h 0x00000020 push dword ptr [ebp+122D12B5h] 0x00000026 jmp 00007F737512BAEEh 0x0000002b call dword ptr [ebp+122D1BF2h] 0x00000031 pushad 0x00000032 jnp 00007F737512BAFDh 0x00000038 jmp 00007F737512BAF7h 0x0000003d xor eax, eax 0x0000003f cmc 0x00000040 mov edx, dword ptr [esp+28h] 0x00000044 jmp 00007F737512BAF3h 0x00000049 mov dword ptr [ebp+122D38D4h], eax 0x0000004f mov dword ptr [ebp+122D19F2h], ecx 0x00000055 mov esi, 0000003Ch 0x0000005a add dword ptr [ebp+122D19F2h], eax 0x00000060 add esi, dword ptr [esp+24h] 0x00000064 pushad 0x00000065 mov dword ptr [ebp+122D19F2h], esi 0x0000006b jg 00007F737512BAECh 0x00000071 popad 0x00000072 lodsw 0x00000074 jmp 00007F737512BAEAh 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d jne 00007F737512BAF8h 0x00000083 mov ebx, dword ptr [esp+24h] 0x00000087 cld 0x00000088 nop 0x00000089 push eax 0x0000008a push edx 0x0000008b push eax 0x0000008c push edx 0x0000008d jmp 00007F737512BAF2h 0x00000092 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 399428 second address: 399493 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a pushad 0x0000000b movzx esi, bx 0x0000000e mov edx, dword ptr [ebp+122D19F7h] 0x00000014 popad 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007F7374772AA8h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 00000018h 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 mov bx, di 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 mov edi, dword ptr [ebp+122D39D8h] 0x00000046 sbb edi, 2EDA0B3Eh 0x0000004c mov eax, dword ptr [ebp+122D0159h] 0x00000052 mov bx, B334h 0x00000056 push FFFFFFFFh 0x00000058 mov dword ptr [ebp+122D2FBDh], edx 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 push ebx 0x00000064 pop ebx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 399493 second address: 3994AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3994AC second address: 3994C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7374772AB5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 398476 second address: 39849C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jng 00007F737512BAE6h 0x00000010 jmp 00007F737512BAF5h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3AE22D second address: 3AE233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3AE233 second address: 3AE237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3AEA99 second address: 3AEA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3AEBB5 second address: 3AEBB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3AEBB9 second address: 3AEC38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB9h 0x00000007 jmp 00007F7374772AB8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F7374772AADh 0x00000013 push ebx 0x00000014 pushad 0x00000015 jmp 00007F7374772AB9h 0x0000001a jmp 00007F7374772AB7h 0x0000001f jg 00007F7374772AA6h 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 pop eax 0x0000002a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3B5FD9 second address: 3B6010 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F737512BAF9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F737512BAE8h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F737512BAEBh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3B6010 second address: 3B601A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7374772AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3B5446 second address: 3B544A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3B5776 second address: 3B577B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3B577B second address: 3B5792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 js 00007F737512BAEAh 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 push edx 0x00000015 pop edx 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3B58C5 second address: 3B58C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3B58C9 second address: 3B58F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F737512BAE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F737512BAEDh 0x00000011 jmp 00007F737512BAEDh 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3BA614 second address: 3BA62C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7374772AAFh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3844FD second address: 1D0B72 instructions: 0x00000000 rdtsc 0x00000002 je 00007F737512BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F737512BAECh 0x00000011 nop 0x00000012 mov ecx, eax 0x00000014 push dword ptr [ebp+122D12B5h] 0x0000001a mov ecx, dword ptr [ebp+122D2BE6h] 0x00000020 call dword ptr [ebp+122D1BF2h] 0x00000026 pushad 0x00000027 jnp 00007F737512BAFDh 0x0000002d xor eax, eax 0x0000002f cmc 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 jmp 00007F737512BAF3h 0x00000039 mov dword ptr [ebp+122D38D4h], eax 0x0000003f mov dword ptr [ebp+122D19F2h], ecx 0x00000045 mov esi, 0000003Ch 0x0000004a add dword ptr [ebp+122D19F2h], eax 0x00000050 add esi, dword ptr [esp+24h] 0x00000054 pushad 0x00000055 mov dword ptr [ebp+122D19F2h], esi 0x0000005b jg 00007F737512BAECh 0x00000061 popad 0x00000062 lodsw 0x00000064 jmp 00007F737512BAEAh 0x00000069 add eax, dword ptr [esp+24h] 0x0000006d jne 00007F737512BAF8h 0x00000073 mov ebx, dword ptr [esp+24h] 0x00000077 cld 0x00000078 nop 0x00000079 push eax 0x0000007a push edx 0x0000007b push eax 0x0000007c push edx 0x0000007d jmp 00007F737512BAF2h 0x00000082 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 384651 second address: 3846C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7374772AAFh 0x0000000e popad 0x0000000f add dword ptr [esp], 2B031606h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F7374772AA8h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 mov edi, dword ptr [ebp+122D1C05h] 0x00000036 push F37C85ECh 0x0000003b push esi 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F7374772AB6h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3847B7 second address: 3847D0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F737512BAE8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F737512BAEAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3847D0 second address: 3847DA instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7374772AACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 384900 second address: 384906 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 384906 second address: 38490C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38490C second address: 384910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 384E6F second address: 384E75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 384FED second address: 384FF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 385125 second address: 38513A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7374772AAEh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38513A second address: 385189 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F737512BAF8h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F737512BAF6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 385208 second address: 385212 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 385212 second address: 385216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 385216 second address: 38528F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a add ecx, 0F3C936Ah 0x00000010 lea eax, dword ptr [ebp+12486E6Ch] 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F7374772AA8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 mov dword ptr [ebp+122D2BC7h], ebx 0x00000036 push eax 0x00000037 jmp 00007F7374772AAEh 0x0000003c mov dword ptr [esp], eax 0x0000003f mov edx, dword ptr [ebp+122D1AF9h] 0x00000045 mov dx, BD87h 0x00000049 lea eax, dword ptr [ebp+12486E28h] 0x0000004f mov di, ax 0x00000052 nop 0x00000053 pushad 0x00000054 push eax 0x00000055 pushad 0x00000056 popad 0x00000057 pop eax 0x00000058 jg 00007F7374772AA8h 0x0000005e popad 0x0000005f push eax 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 push esi 0x00000064 pop esi 0x00000065 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38528F second address: 3852A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3B9D4F second address: 3B9D55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3BA1C9 second address: 3BA1CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3BA1CD second address: 3BA1E9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F7374772AB3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3BA1E9 second address: 3BA209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F737512BAEDh 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F737512BAEBh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3BD2AC second address: 3BD2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jne 00007F7374772AA6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3BD2B8 second address: 3BD2BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 33C016 second address: 33C052 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop edi 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7374772AB0h 0x00000014 pushad 0x00000015 jnp 00007F7374772AA6h 0x0000001b jmp 00007F7374772AAFh 0x00000020 jnp 00007F7374772AA6h 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C16AB second address: 3C16B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C16B0 second address: 3C16BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C1A84 second address: 3C1AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jnp 00007F737512BAEEh 0x0000000c jne 00007F737512BAE6h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F737512BAEDh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C1AA9 second address: 3C1AD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F7374772AAEh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7374772AB1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C1F8E second address: 3C1FA8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F737512BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007F737512BAF0h 0x00000010 jmp 00007F737512BAEAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C24CB second address: 3C24D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C24D1 second address: 3C24DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C24DC second address: 3C24ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jp 00007F7374772AACh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C24ED second address: 3C24F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C24F2 second address: 3C24F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C24F8 second address: 3C24FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C24FE second address: 3C2504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C264F second address: 3C2655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C2655 second address: 3C2659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C139D second address: 3C13AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F737512BAECh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C63C1 second address: 3C63C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C63C5 second address: 3C63CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C63CB second address: 3C63E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7374772AB0h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C63E1 second address: 3C6401 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F737512BAF8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C6401 second address: 3C6407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C6407 second address: 3C642C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F737512BAE6h 0x0000000a jbe 00007F737512BAE6h 0x00000010 popad 0x00000011 jmp 00007F737512BAEDh 0x00000016 pushad 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CB6EC second address: 3CB6FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007F7374772AA6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CAFFA second address: 3CB009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jl 00007F737512BAE6h 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CB009 second address: 3CB026 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7374772AB9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CB16E second address: 3CB172 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CB421 second address: 3CB42A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CF3D8 second address: 3CF3DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CED40 second address: 3CED60 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7374772AA6h 0x00000008 jmp 00007F7374772AB1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CEE8D second address: 3CEE92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CEE92 second address: 3CEEAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jng 00007F7374772AA6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F7374772AC1h 0x00000012 je 00007F7374772AACh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CF0FF second address: 3CF103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CF103 second address: 3CF10B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CF10B second address: 3CF13A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F737512BAF1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D3F7C second address: 3D3F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D3222 second address: 3D3234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnp 00007F737512BAEAh 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D3234 second address: 3D3242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D3242 second address: 3D3257 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F737512BAF0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D33BC second address: 3D33EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB2h 0x00000007 jmp 00007F7374772AB9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D33EE second address: 3D33F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D33F4 second address: 3D33FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D36CD second address: 3D36D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D36D3 second address: 3D36E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F7374772AA8h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D36E1 second address: 3D36E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D36E8 second address: 3D36EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D381F second address: 3D3827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D3827 second address: 3D3846 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007F7374772AA6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007F7374772AAEh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D3846 second address: 3D3860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jl 00007F737512BB1Bh 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jg 00007F737512BAE6h 0x00000016 push eax 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D3860 second address: 3D3877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F7374772AAFh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D98C4 second address: 3D98E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F737512BAF6h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D98E0 second address: 3D98FD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F7374772AB1h 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D98FD second address: 3D9906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D9906 second address: 3D990A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D81C3 second address: 3D81C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D81C8 second address: 3D81CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D81CE second address: 3D81D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D81D2 second address: 3D81F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007F7374772AACh 0x0000000e jnc 00007F7374772AA6h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D81F0 second address: 3D81F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D81F4 second address: 3D81FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D863E second address: 3D8648 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F737512BAE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D8648 second address: 3D865A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7374772AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F7374772AA6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 384CDD second address: 384CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3DAECF second address: 3DAED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E0397 second address: 3E039D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E120F second address: 3E1213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E1213 second address: 3E1217 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E1531 second address: 3E154F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7374772AA6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F7374772AACh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E154F second address: 3E1553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E1553 second address: 3E1565 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7374772AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F7374772AA6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E1DE4 second address: 3E1DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E1DEB second address: 3E1DF9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7374772AA8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E1DF9 second address: 3E1DFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E2091 second address: 3E20BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7374772AB0h 0x00000008 push edi 0x00000009 pop edi 0x0000000a jnp 00007F7374772AA6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007F7374772AA6h 0x00000019 jl 00007F7374772AA6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E6123 second address: 3E6142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F737512BAF6h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E640A second address: 3E6418 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E6568 second address: 3E656C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E656C second address: 3E6589 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AADh 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F7374772AA6h 0x0000000f jng 00007F7374772AA6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E6849 second address: 3E6861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F737512BAF3h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E6861 second address: 3E68B1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7374772AA8h 0x00000008 jmp 00007F7374772AB1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push edi 0x00000011 jmp 00007F7374772AACh 0x00000016 pop edi 0x00000017 jnl 00007F7374772AA8h 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 jmp 00007F7374772AB9h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E69DC second address: 3E6A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 jmp 00007F737512BAEDh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F737512BAECh 0x00000015 jmp 00007F737512BAEFh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E6A0F second address: 3E6A13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E6CD6 second address: 3E6CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E6CDC second address: 3E6CF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7374772AB2h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3EB7C1 second address: 3EB7C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3EB7C6 second address: 3EB7F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB2h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7374772AB4h 0x0000000e jns 00007F7374772AA6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F4DC3 second address: 3F4DC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F4DC9 second address: 3F4DDE instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7374772AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jnl 00007F7374772AA6h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F4DDE second address: 3F4DE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F4DE9 second address: 3F4DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F4DF1 second address: 3F4E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F737512BAE6h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F4E02 second address: 3F4E1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F32B7 second address: 3F32BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F32BB second address: 3F32BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F32BF second address: 3F32C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F35CC second address: 3F35E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F7374772AAEh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F35E1 second address: 3F35F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jc 00007F737512BAE6h 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F3784 second address: 3F37A1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7374772AA6h 0x00000008 jmp 00007F7374772AB0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F390C second address: 3F3910 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F3ACA second address: 3F3AF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F3E04 second address: 3F3E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F3E08 second address: 3F3E0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F4C3A second address: 3F4C44 instructions: 0x00000000 rdtsc 0x00000002 js 00007F737512BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F4C44 second address: 3F4C49 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA78E second address: 3FA797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA797 second address: 3FA7B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7374772AB9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA7B4 second address: 3FA7CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA7CA second address: 3FA7CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA32B second address: 3FA351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F737512BAE6h 0x0000000a popad 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e je 00007F737512BAE6h 0x00000014 pop edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F737512BAECh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA351 second address: 3FA357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA488 second address: 3FA492 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA492 second address: 3FA496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA496 second address: 3FA49E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA49E second address: 3FA4A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA4A4 second address: 3FA4C8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F737512BAE6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F737512BAEFh 0x00000012 pop eax 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA4C8 second address: 3FA4DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7374772AA6h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e js 00007F7374772AA6h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4081EA second address: 4081F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4081F2 second address: 4081F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4081F6 second address: 408210 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F737512BAF4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 40BEFD second address: 40BF08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 40BF08 second address: 40BF0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 40BF0C second address: 40BF27 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F7374772AA8h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 40BF27 second address: 40BF40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF3h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4135C2 second address: 4135C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 41341D second address: 413423 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 413423 second address: 413429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 413429 second address: 41342D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 41C660 second address: 41C664 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 42164C second address: 421672 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F737512BAF0h 0x00000009 jmp 00007F737512BAF1h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 421672 second address: 42167E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F7374772AA6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 42167E second address: 42169C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F737512BAEBh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 42169C second address: 4216A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4217CA second address: 4217CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 421EF9 second address: 421EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 422A8F second address: 422A95 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 427508 second address: 42750E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 43D3D0 second address: 43D3D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 43D3D9 second address: 43D3DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 44AEC5 second address: 44AEC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 44C6E5 second address: 44C6EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 44C6EB second address: 44C6EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 44E509 second address: 44E515 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jc 00007F7374772AA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 477ED0 second address: 477ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 477ED4 second address: 477EE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AAAh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 478184 second address: 478196 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F737512BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F737512BAE6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 478304 second address: 47830A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47830A second address: 47830F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47830F second address: 478315 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 478315 second address: 47831B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47831B second address: 478358 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AACh 0x00000007 jne 00007F7374772AA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 je 00007F7374772AC9h 0x00000017 jmp 00007F7374772AB7h 0x0000001c jc 00007F7374772AACh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 478465 second address: 47846F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 478B53 second address: 478B57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47D00D second address: 47D011 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47D011 second address: 47D017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47D017 second address: 47D021 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F737512BAECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47D62D second address: 47D631 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47D631 second address: 47D63B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47D63B second address: 47D63F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47EFA9 second address: 47EFAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47EFAF second address: 47EFB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47EAC0 second address: 47EAC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47EAC6 second address: 47EACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B406E4 second address: 4B40748 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F737512BAF6h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 call 00007F737512BAECh 0x00000018 pop esi 0x00000019 pushfd 0x0000001a jmp 00007F737512BAEBh 0x0000001f xor esi, 73258A6Eh 0x00000025 jmp 00007F737512BAF9h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B40748 second address: 4B407A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7374772AB7h 0x00000009 or si, D07Eh 0x0000000e jmp 00007F7374772AB9h 0x00000013 popfd 0x00000014 mov bx, cx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F7374772AAAh 0x00000020 mov ebp, esp 0x00000022 pushad 0x00000023 mov bh, ah 0x00000025 mov si, di 0x00000028 popad 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d push eax 0x0000002e pop edi 0x0000002f push eax 0x00000030 pop edi 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10128 second address: 4B10173 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007F737512BAEDh 0x0000000b adc ecx, 54075586h 0x00000011 jmp 00007F737512BAF1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F737512BAF8h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10173 second address: 4B10177 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10177 second address: 4B1017D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B1017D second address: 4B101BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7374772AACh 0x00000009 xor cl, FFFFFF88h 0x0000000c jmp 00007F7374772AABh 0x00000011 popfd 0x00000012 movzx eax, dx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 jmp 00007F7374772AB2h 0x0000001e xchg eax, ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B101BC second address: 4B101C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B101C0 second address: 4B101C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B101C6 second address: 4B10252 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c call 00007F737512BAEEh 0x00000011 pushfd 0x00000012 jmp 00007F737512BAF2h 0x00000017 and cl, FFFFFFA8h 0x0000001a jmp 00007F737512BAEBh 0x0000001f popfd 0x00000020 pop ecx 0x00000021 pushfd 0x00000022 jmp 00007F737512BAF9h 0x00000027 adc ah, FFFFFFC6h 0x0000002a jmp 00007F737512BAF1h 0x0000002f popfd 0x00000030 popad 0x00000031 pop ebp 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F737512BAEDh 0x00000039 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B800AF second address: 4B800B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B00D57 second address: 4B00D6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B00D6B second address: 4B00E1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F7374772AB6h 0x00000010 push dword ptr [ebp+04h] 0x00000013 jmp 00007F7374772AB0h 0x00000018 push dword ptr [ebp+0Ch] 0x0000001b pushad 0x0000001c pushad 0x0000001d jmp 00007F7374772AACh 0x00000022 pushfd 0x00000023 jmp 00007F7374772AB2h 0x00000028 add al, 00000008h 0x0000002b jmp 00007F7374772AABh 0x00000030 popfd 0x00000031 popad 0x00000032 pushfd 0x00000033 jmp 00007F7374772AB8h 0x00000038 and ah, 00000068h 0x0000003b jmp 00007F7374772AABh 0x00000040 popfd 0x00000041 popad 0x00000042 push dword ptr [ebp+08h] 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F7374772AB5h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B00E1C second address: 4B00E2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F737512BAECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B00E2C second address: 4B00E30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B00E69 second address: 4B00E6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B00E6F second address: 4B00E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B00E73 second address: 4B00E77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70CA7 second address: 4B70CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70CAB second address: 4B70CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70CB1 second address: 4B70CCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7374772AB9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70CCE second address: 4B70CD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70CD2 second address: 4B70CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70CE2 second address: 4B70CE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70CE6 second address: 4B70CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70CEC second address: 4B70CF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70CF2 second address: 4B70CF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70CF6 second address: 4B70D13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F737512BAF2h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70D13 second address: 4B70D19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70D19 second address: 4B70D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50B4E second address: 4B50B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50B53 second address: 4B50B59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50B59 second address: 4B50B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50B5D second address: 4B50B87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F737512BAF0h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50B87 second address: 4B50B8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50B8D second address: 4B50B93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50B93 second address: 4B50B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50B97 second address: 4B50BB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F737512BAEFh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50BB3 second address: 4B50BB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50BB7 second address: 4B50BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50BBD second address: 4B50BCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7374772AABh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50BCC second address: 4B50BD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50BD0 second address: 4B50BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50BDF second address: 4B50C06 instructions: 0x00000000 rdtsc 0x00000002 mov dl, BAh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop edx 0x00000009 movzx esi, dx 0x0000000c popad 0x0000000d popad 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F737512BAF6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50C06 second address: 4B50C18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7374772AAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50C18 second address: 4B50C1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4BA00EB second address: 4BA0110 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7374772AADh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80CC1 second address: 4B80CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80CC7 second address: 4B80CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80CCB second address: 4B80CCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80CCF second address: 4B80CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ecx, 340D98D3h 0x0000000f push eax 0x00000010 mov bl, C8h 0x00000012 pop ecx 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80CE7 second address: 4B80D29 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F737512BAF2h 0x00000008 add ax, FF88h 0x0000000d jmp 00007F737512BAEBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F737512BAF5h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80D29 second address: 4B80D2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80D2F second address: 4B80D33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10815 second address: 4B10828 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10828 second address: 4B1082E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B1082E second address: 4B10832 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10832 second address: 4B10850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F737512BAEEh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10850 second address: 4B10854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10854 second address: 4B1085A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B1085A second address: 4B10869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7374772AABh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10869 second address: 4B10879 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10879 second address: 4B1087D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B1087D second address: 4B10881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10881 second address: 4B10887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70D47 second address: 4B70DB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F737512BAF7h 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007F737512BAF9h 0x0000000f adc al, 00000006h 0x00000012 jmp 00007F737512BAF1h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c jmp 00007F737512BAEEh 0x00000021 push eax 0x00000022 jmp 00007F737512BAEBh 0x00000027 xchg eax, ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70DB6 second address: 4B70DBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70DBA second address: 4B70DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80466 second address: 4B804A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 mov ah, bh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F7374772AAFh 0x00000014 xor si, 84BEh 0x00000019 jmp 00007F7374772AB9h 0x0000001e popfd 0x0000001f mov ax, EA07h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B804A8 second address: 4B804B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 mov bl, DAh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B804B9 second address: 4B804BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B804BF second address: 4B804C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 7AED81A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B804C9 second address: 4B80524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 mov edi, 47B7CD2Ch 0x0000000e mov dl, 90h 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 call 00007F7374772AB9h 0x0000001b pop ecx 0x0000001c pushfd 0x0000001d jmp 00007F7374772AB1h 0x00000022 sub ecx, 02504466h 0x00000028 jmp 00007F7374772AB1h 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80524 second address: 4B80550 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 push edi 0x00000007 pop esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp+08h] 0x0000000e jmp 00007F737512BAF5h 0x00000013 and dword ptr [eax], 00000000h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80550 second address: 4B80554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80554 second address: 4B80567 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80567 second address: 4B805D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7374772AAFh 0x00000009 or al, FFFFFFAEh 0x0000000c jmp 00007F7374772AB9h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F7374772AB0h 0x00000018 sbb al, 00000028h 0x0000001b jmp 00007F7374772AABh 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 and dword ptr [eax+04h], 00000000h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F7374772AB5h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B805D5 second address: 4B805DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 01227DD2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50A6F second address: 4B50AA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F7374772AB5h 0x0000000b jmp 00007F7374772AABh 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov dh, 77h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50AA1 second address: 4B50B02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F737512BAF6h 0x00000009 sbb eax, 029C8068h 0x0000000f jmp 00007F737512BAEBh 0x00000014 popfd 0x00000015 jmp 00007F737512BAF8h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d pop ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F737512BAF7h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80E96 second address: 4B80E9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80E9C second address: 4B80ECC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F737512BAF8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80ECC second address: 4B80EDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80EDB second address: 4B80EF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F737512BAF4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80EF3 second address: 4B80F17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov ecx, 600E1D8Bh 0x00000013 mov si, 0767h 0x00000017 popad 0x00000018 pop ebp 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80F17 second address: 4B80F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B307AE second address: 4B307B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B307B2 second address: 4B3082E instructions: 0x00000000 rdtsc 0x00000002 mov ah, 25h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F737512BAF5h 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F737512BAF3h 0x00000014 sub eax, 053B879Eh 0x0000001a jmp 00007F737512BAF9h 0x0000001f popfd 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F737512BAEAh 0x0000002b jmp 00007F737512BAF5h 0x00000030 popfd 0x00000031 mov dx, ax 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B3082E second address: 4B30850 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 5D11025Eh 0x00000008 call 00007F7374772AAFh 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B30850 second address: 4B30854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B30854 second address: 4B3085A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B3085A second address: 4B30874 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F737512BAF6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B30874 second address: 4B3089B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7374772AB9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B3089B second address: 4B308A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B308A1 second address: 4B308C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7374772AAAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B308C0 second address: 4B308CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90A8D second address: 4B90AA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90AA8 second address: 4B90AAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90AAD second address: 4B90AEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F7374772AABh 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F7374772AB6h 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90AEE second address: 4B90AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90AF2 second address: 4B90B0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90B0F second address: 4B90B15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90B15 second address: 4B90B19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90B19 second address: 4B90B2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F737512BAEBh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90B2F second address: 4B90B58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 movsx edx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7374772AB9h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90B58 second address: 4B90B68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F737512BAECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90B68 second address: 4B90C65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [76FB65FCh] 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F7374772AB4h 0x00000017 add esi, 06235C68h 0x0000001d jmp 00007F7374772AABh 0x00000022 popfd 0x00000023 mov ecx, 7AAA125Fh 0x00000028 popad 0x00000029 test eax, eax 0x0000002b pushad 0x0000002c mov ecx, edi 0x0000002e popad 0x0000002f je 00007F73E6B1585Ah 0x00000035 jmp 00007F7374772AB9h 0x0000003a mov ecx, eax 0x0000003c jmp 00007F7374772AAEh 0x00000041 xor eax, dword ptr [ebp+08h] 0x00000044 pushad 0x00000045 pushfd 0x00000046 jmp 00007F7374772AB7h 0x0000004b jmp 00007F7374772AB3h 0x00000050 popfd 0x00000051 push ecx 0x00000052 pushfd 0x00000053 jmp 00007F7374772AAFh 0x00000058 and si, 97CEh 0x0000005d jmp 00007F7374772AB9h 0x00000062 popfd 0x00000063 pop eax 0x00000064 popad 0x00000065 and ecx, 1Fh 0x00000068 jmp 00007F7374772AB7h 0x0000006d ror eax, cl 0x0000006f push eax 0x00000070 push edx 0x00000071 push eax 0x00000072 push edx 0x00000073 pushad 0x00000074 popad 0x00000075 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90C65 second address: 4B90C6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90C6B second address: 4B90C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90C71 second address: 4B90C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B5001C second address: 4B50020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50020 second address: 4B50026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50026 second address: 4B5002B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B5002B second address: 4B5003B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B5003B second address: 4B5003F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B5003F second address: 4B50045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50045 second address: 4B50091 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 508E5755h 0x00000008 mov ah, 13h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f movzx ecx, dx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F7374772AB0h 0x00000019 jmp 00007F7374772AB5h 0x0000001e popfd 0x0000001f popad 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F7374772AADh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50091 second address: 4B50106 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F737512BAF7h 0x00000009 jmp 00007F737512BAF3h 0x0000000e popfd 0x0000000f jmp 00007F737512BAF8h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 jmp 00007F737512BAF0h 0x0000001e and esp, FFFFFFF8h 0x00000021 jmp 00007F737512BAF0h 0x00000026 xchg eax, ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50106 second address: 4B5010D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B5010D second address: 4B50156 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, ch 0x00000005 mov edi, 72A27252h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F737512BAF8h 0x00000013 xchg eax, ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov dx, 5C80h 0x0000001b call 00007F737512BAF9h 0x00000020 pop ecx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50156 second address: 4B501F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7374772AB8h 0x00000009 and esi, 5DC63D28h 0x0000000f jmp 00007F7374772AABh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebx 0x00000019 pushad 0x0000001a mov bx, cx 0x0000001d movzx ecx, dx 0x00000020 popad 0x00000021 push eax 0x00000022 jmp 00007F7374772AAAh 0x00000027 xchg eax, ebx 0x00000028 jmp 00007F7374772AB0h 0x0000002d mov ebx, dword ptr [ebp+10h] 0x00000030 jmp 00007F7374772AB0h 0x00000035 xchg eax, esi 0x00000036 jmp 00007F7374772AB0h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f pushfd 0x00000040 jmp 00007F7374772AACh 0x00000045 add ah, 00000048h 0x00000048 jmp 00007F7374772AABh 0x0000004d popfd 0x0000004e push eax 0x0000004f pop edi 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B501F3 second address: 4B50213 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50213 second address: 4B50217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50217 second address: 4B5021B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B5021B second address: 4B50221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50221 second address: 4B50227 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50227 second address: 4B5022B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B5022B second address: 4B50286 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e jmp 00007F737512BAF0h 0x00000013 xchg eax, edi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop ecx 0x00000019 pushfd 0x0000001a jmp 00007F737512BAF9h 0x0000001f sub al, FFFFFFD6h 0x00000022 jmp 00007F737512BAF1h 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50286 second address: 4B502CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov di, ax 0x0000000d mov bl, ah 0x0000000f popad 0x00000010 xchg eax, edi 0x00000011 jmp 00007F7374772AB9h 0x00000016 test esi, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F7374772AB8h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B502CE second address: 4B502DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B502DD second address: 4B502E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B502E3 second address: 4B5032E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F73E7509E10h 0x0000000e jmp 00007F737512BAF7h 0x00000013 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001a pushad 0x0000001b movzx esi, bx 0x0000001e mov esi, edx 0x00000020 popad 0x00000021 je 00007F73E7509DFBh 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F737512BAEFh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B5032E second address: 4B50332 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50332 second address: 4B50385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edi, ecx 0x00000008 popad 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c jmp 00007F737512BAF0h 0x00000011 or edx, dword ptr [ebp+0Ch] 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F737512BAEEh 0x0000001b adc si, 6C08h 0x00000020 jmp 00007F737512BAEBh 0x00000025 popfd 0x00000026 pushad 0x00000027 mov esi, 35138295h 0x0000002c popad 0x0000002d popad 0x0000002e test edx, 61000000h 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50385 second address: 4B5038D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, ax 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B5038D second address: 4B503A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 2914h 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F73E7509DD5h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B503A5 second address: 4B503A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B503A9 second address: 4B503BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B503BB second address: 4B503E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [esi+48h], 00000001h 0x0000000d pushad 0x0000000e mov edi, ecx 0x00000010 mov dx, cx 0x00000013 popad 0x00000014 jne 00007F73E6B50D72h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B503E1 second address: 4B503E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B503E5 second address: 4B503EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70010 second address: 4B7001F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7001F second address: 4B70025 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70025 second address: 4B70029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70029 second address: 4B7002D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7002D second address: 4B7005C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a mov esi, 47620689h 0x0000000f jmp 00007F737512BAF6h 0x00000014 popad 0x00000015 mov dword ptr [esp], ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7005C second address: 4B70060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70060 second address: 4B70064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70064 second address: 4B7006A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7006A second address: 4B700DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 05B4h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c jmp 00007F737512BAF3h 0x00000011 and esp, FFFFFFF8h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F737512BAEBh 0x0000001d jmp 00007F737512BAF3h 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007F737512BAF8h 0x00000029 xor cx, 40F8h 0x0000002e jmp 00007F737512BAEBh 0x00000033 popfd 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B700DA second address: 4B70114 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7374772AAFh 0x00000008 call 00007F7374772AB8h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov ah, bl 0x00000017 mov eax, 57B0F01Bh 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70114 second address: 4B70124 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F737512BAECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70124 second address: 4B70168 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebx 0x0000000e jmp 00007F7374772AB6h 0x00000013 xchg eax, esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F7374772AB7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70168 second address: 4B7016E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7016E second address: 4B70186 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70186 second address: 4B7018A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7018A second address: 4B70190 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70190 second address: 4B701F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov dh, ah 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F737512BAEBh 0x00000014 jmp 00007F737512BAF3h 0x00000019 popfd 0x0000001a popad 0x0000001b popad 0x0000001c mov esi, dword ptr [ebp+08h] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F737512BAEBh 0x00000028 jmp 00007F737512BAF3h 0x0000002d popfd 0x0000002e mov ch, 2Eh 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B701F1 second address: 4B70212 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, A6h 0x00000005 call 00007F7374772AADh 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebx, 00000000h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70212 second address: 4B7022B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7022B second address: 4B70231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70231 second address: 4B70235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70235 second address: 4B702C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F7374772AB4h 0x00000014 and ecx, 1A0FF318h 0x0000001a jmp 00007F7374772AABh 0x0000001f popfd 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F7374772AB6h 0x00000027 adc si, DD78h 0x0000002c jmp 00007F7374772AABh 0x00000031 popfd 0x00000032 popad 0x00000033 popad 0x00000034 je 00007F73E6B28B91h 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F7374772AB7h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B702C4 second address: 4B702E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B702E1 second address: 4B702E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B702E7 second address: 4B7030D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7030D second address: 4B70311 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70311 second address: 4B70317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70317 second address: 4B7033C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, esi 0x00000005 mov di, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, esi 0x0000000d pushad 0x0000000e push esi 0x0000000f jmp 00007F7374772AB3h 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7033C second address: 4B70365 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 0CCA1741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a je 00007F73E74E1B43h 0x00000010 jmp 00007F737512BAECh 0x00000015 test byte ptr [76FB6968h], 00000002h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70365 second address: 4B70369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70369 second address: 4B70386 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70386 second address: 4B7038B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7038B second address: 4B703E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bl, 59h 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F73E74E1B08h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F737512BAF1h 0x00000018 or ah, 00000056h 0x0000001b jmp 00007F737512BAF1h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F737512BAF0h 0x00000027 and eax, 1BA2F078h 0x0000002d jmp 00007F737512BAEBh 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B703E8 second address: 4B703EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B703EE second address: 4B703F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B703F2 second address: 4B70419 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov di, ax 0x00000011 call 00007F7374772AB4h 0x00000016 pop esi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70419 second address: 4B70439 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F737512BAF5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70439 second address: 4B7043F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7043F second address: 4B70443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70443 second address: 4B70462 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70462 second address: 4B704DC instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 67120F74h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F737512BAEDh 0x0000000f adc esi, 0BB84D36h 0x00000015 jmp 00007F737512BAF1h 0x0000001a popfd 0x0000001b popad 0x0000001c xchg eax, ebx 0x0000001d pushad 0x0000001e jmp 00007F737512BAECh 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F737512BAF0h 0x0000002a xor cl, FFFFFF88h 0x0000002d jmp 00007F737512BAEBh 0x00000032 popfd 0x00000033 mov eax, 0C89CFFFh 0x00000038 popad 0x00000039 popad 0x0000003a xchg eax, ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F737512BAF1h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B704DC second address: 4B704F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B704F8 second address: 4B704FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Special instruction interceptor: First address: 1D0BD6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Special instruction interceptor: First address: 1D0B05 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Special instruction interceptor: First address: 373A87 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Special instruction interceptor: First address: 1CE10A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Special instruction interceptor: First address: 39CF2B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Special instruction interceptor: First address: 3FCAEB instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 320BD6 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 320B05 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 4C3A87 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 31E10A instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 4ECF2B instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 54CAEB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 570BD6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 570B05 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 713A87 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 56E10A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 73CF2B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 79CAEB instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

Code function: 0_2_04BC0728 rdtsc

0_2_04BC0728

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window / User API: threadDelayed 1247	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window / User API: threadDelayed 1188	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window / User API: threadDelayed 1207	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window / User API: threadDelayed 1009	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window / User API: threadDelayed 403	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1265	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1266	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1182	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1229	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1302	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1323	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1270	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1217	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1275	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1521	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1502	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1526	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1371	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1499	Jump to behavior

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_0-16310
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_5-18440
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7344	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7344	Thread sleep time: -74037s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7340	Thread sleep count: 1247 > 30	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7340	Thread sleep time: -2495247s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7412	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7304	Thread sleep count: 97 > 30	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7320	Thread sleep count: 1188 > 30	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7320	Thread sleep time: -2377188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7328	Thread sleep count: 1207 > 30	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7328	Thread sleep time: -2415207s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7304	Thread sleep count: 205 > 30	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7324	Thread sleep count: 1009 > 30	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7324	Thread sleep time: -2019009s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7304	Thread sleep count: 52 > 30	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7324	Thread sleep count: 293 > 30	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7324	Thread sleep time: -586293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7320	Thread sleep count: 403 > 30	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7320	Thread sleep time: -806403s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7612	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7612	Thread sleep time: -84042s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7596	Thread sleep count: 1265 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7596	Thread sleep time: -2531265s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7556	Thread sleep count: 91 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7556	Thread sleep count: 227 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7588	Thread sleep count: 1266 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7588	Thread sleep time: -2533266s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7556	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7708	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7708	Thread sleep time: -80040s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7692	Thread sleep count: 1182 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7692	Thread sleep time: -2365182s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7564	Thread sleep count: 105 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7564	Thread sleep count: 81 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7688	Thread sleep count: 1229 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7688	Thread sleep time: -2459229s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7564	Thread sleep count: 215 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7700	Thread sleep count: 1302 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7700	Thread sleep time: -2605302s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7564	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7920	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7920	Thread sleep time: -76038s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7904	Thread sleep count: 1323 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7904	Thread sleep time: -2647323s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7992	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7876	Thread sleep count: 56 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7876	Thread sleep count: 114 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7876	Thread sleep count: 153 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7896	Thread sleep count: 1270 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7896	Thread sleep time: -2541270s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7876	Thread sleep count: 92 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7900	Thread sleep count: 1217 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7900	Thread sleep time: -2435217s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7892	Thread sleep count: 1275 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7892	Thread sleep time: -2551275s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7220	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7220	Thread sleep time: -118059s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7196	Thread sleep count: 58 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7196	Thread sleep time: -116058s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6280	Thread sleep count: 70 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6280	Thread sleep count: 112 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6440	Thread sleep count: 1521 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6440	Thread sleep time: -3043521s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4080	Thread sleep count: 1502 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4080	Thread sleep time: -3005502s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6280	Thread sleep count: 113 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4900	Thread sleep count: 1526 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4900	Thread sleep time: -3053526s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6280	Thread sleep count: 82 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4828	Thread sleep count: 1371 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4828	Thread sleep time: -2743371s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2724	Thread sleep count: 1499 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2724	Thread sleep time: -2999499s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6280	Thread sleep count: 41 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: RageMP131.exe, RageMP131.exe, 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: 90ZF1EDs9h.exe, 00000000.00000003.1672128094.0000000000B88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}z]
Source: MPGPH131.exe, 00000005.00000003.1694159336.0000000000D45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&0000
Source: RageMP131.exe, 00000009.00000003.1891360029.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp'
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000DDC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2319200721.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MPGPH131.exe, 00000005.00000002.2965341053.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&%
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2319200721.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: MPGPH131.exe, 00000006.00000003.1711821266.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}v
Source: RageMP131.exe, 00000009.00000003.1891360029.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Fc
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: RageMP131.exe, 00000007.00000003.1811415935.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000009.00000002.2964515667.0000000000D50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&db
Source: 90ZF1EDs9h.exe, 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: RageMP131.exe, 00000007.00000003.1811415935.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}o
Source: 90ZF1EDs9h.exe, 00000000.00000003.1672128094.0000000000B88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000007.00000002.2965177153.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&;

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_04BC04E4 Start: 04BC055D End: 04BC04A1	0_2_04BC04E4
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_04BC0AEF Start: 04BC0AF6 End: 04BC0B00	0_2_04BC0AEF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_04D102F9 Start: 04D10474 End: 04D102C8	5_2_04D102F9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_04C50587 Start: 04C505B6 End: 04C505BC	6_2_04C50587
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_04F803CB Start: 04F80525 End: 04F80403	7_2_04F803CB

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

Code function: 0_2_04BC0728 rdtsc

0_2_04BC0728

Source: RageMP131.exe, RageMP131.exe, 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmp

Binary or memory string: xProgram Manager

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

Code function: 0_2_0007361D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_0007361D

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: Process Memory Space: 90ZF1EDs9h.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7132, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: Process Memory Space: 90ZF1EDs9h.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7132, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	2 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	24 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	2 Process Injection	Security Account Manager	741 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	24 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	2 Process Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	214 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
90ZF1EDs9h.exe	53%	Virustotal		Browse
90ZF1EDs9h.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	50%	ReversingLabs	Win32.Trojan.RisePro
C:\ProgramData\MPGPH131\MPGPH131.exe	53%	Virustotal		Browse
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	50%	ReversingLabs	Win32.Trojan.RisePro
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	53%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ipinfo.io	0%	Virustotal		Browse
db-ip.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://ipinfo.io/	0%	URL Reputation	safe
https://ipinfo.io:443/widget/demo/8.46.123.33	0%	Avira URL Cloud	safe
https://db-ip.com:443/demo/home.php?s=8.46.123.33J	0%	Avira URL Cloud	safe
https://t.me/risepro_botSS	0%	Avira URL Cloud	safe
https://db-ip.com/demo/home.php?s=8.46.123.33$	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/8.46.123.33#H	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/8.46.123.33H	0%	Avira URL Cloud	safe
https://t.v	0%	Avira URL Cloud	safe
https://db-ip.com/	0%	Avira URL Cloud	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe
https://ipinfo.io/alj	0%	Avira URL Cloud	safe
https://db-ip.com/demo/home.php?s=8.46.123.33S	0%	Avira URL Cloud	safe
https://db-ip.com/	0%	Virustotal		Browse
https://t.me/risepro_botSS	0%	Virustotal		Browse
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Virustotal		Browse
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
https://t.me/risepro	0%	Avira URL Cloud	safe
https://ipinfo.io/Mozilla/5.0	0%	Avira URL Cloud	safe
https://t.me/risepro_botA$	0%	Avira URL Cloud	safe
https://ipinfo.io/tuO	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/8.46.123.33~	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT	0%	Virustotal		Browse
https://t.me/risepro_botj/	0%	Avira URL Cloud	safe
https://ipinfo.io/Mozilla/5.0	0%	Virustotal		Browse
https://t.me/risepro_bot	0%	Avira URL Cloud	safe
https://t.me/risepro	0%	Virustotal		Browse
https://t.me/RiseProSUPPORT8?	0%	Avira URL Cloud	safe
https://t.me/risepro_botGc	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/8.46.123.33	0%	Avira URL Cloud	safe
https://t.me/risepro_bot	0%	Virustotal		Browse
https://www.maxmind.com/en/locate-my-ip-address	0%	Avira URL Cloud	safe
https://t.me/riseproD	0%	Avira URL Cloud	safe
https://ipinfo.io/s	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/8.46.123.33q	0%	Avira URL Cloud	safe
https://db-ip.com:443/demo/home.php?s=8.46.123.33	0%	Avira URL Cloud	safe
https://www.maxmind.com/en/locate-my-ip-address	0%	Virustotal		Browse
https://t.me/risepro_botisepro_bot	0%	Avira URL Cloud	safe
https://ipinfo.io/s	0%	Virustotal		Browse
http://www.winimage.com/zLibDll	0%	Avira URL Cloud	safe
https://t.me/riseproF	0%	Avira URL Cloud	safe
https://t.me/risepro_botisepro_bot	0%	Virustotal		Browse
https://t.me/riseproD	0%	Virustotal		Browse
https://ipinfo.io/W&	0%	Avira URL Cloud	safe
https://db-ip.com/l/.	0%	Avira URL Cloud	safe
https://db-ip.com/demo/home.php?s=8.46.123.33	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORTz	0%	Avira URL Cloud	safe
https://t.me/risepro_botp	0%	Avira URL Cloud	safe
https://t.me/risepro_botp	0%	Virustotal		Browse
https://t.me/RiseProSUPPORTz	1%	Virustotal		Browse
http://www.winimage.com/zLibDll	1%	Virustotal		Browse
https://db-ip.com/l/.	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.186.192	true	false	0%, Virustotal, Browse	unknown
db-ip.com	104.26.5.15	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/	false	URL Reputation: safe	unknown
https://ipinfo.io/widget/demo/8.46.123.33	false	Avira URL Cloud: safe	unknown
https://db-ip.com/demo/home.php?s=8.46.123.33	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://db-ip.com/demo/home.php?s=8.46.123.33$	MPGPH131.exe, 00000005.00000002.2965341053.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D64000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com:443/demo/home.php?s=8.46.123.33J	MPGPH131.exe, 00000006.00000002.2965067378.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io:443/widget/demo/8.46.123.33	90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_botSS	90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io/widget/demo/8.46.123.33#H	RageMP131.exe, 00000007.00000002.2965177153.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/widget/demo/8.46.123.33H	MPGPH131.exe, 00000006.00000002.2965067378.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.v	90ZF1EDs9h.exe, 00000000.00000002.2975858179.0000000007720000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com/	90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2967167251.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302053976.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2319159509.0000000000E53000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000E54000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	90ZF1EDs9h.exe, 00000000.00000003.1654226982.0000000004960000.00000004.00001000.00020000.00000000.sdmp, 90ZF1EDs9h.exe, 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1681138634.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1681761352.00000000049E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1788309686.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000003.1867802367.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://db-ip.com/demo/home.php?s=8.46.123.33S	MPGPH131.exe, 00000005.00000002.2967167251.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302053976.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/alj	MPGPH131.exe, 00000006.00000002.2965067378.0000000000E01000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORT	90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io/Mozilla/5.0	90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2319200721.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/risepro	MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io/tuO	RageMP131.exe, 00000009.00000002.2964515667.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_botA$	RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/widget/demo/8.46.123.33~	90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B86000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_botj/	MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_bot	RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORT8?	MPGPH131.exe, 00000006.00000002.2965067378.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_botGc	RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.maxmind.com/en/locate-my-ip-address	RageMP131.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/riseproD	MPGPH131.exe, 00000005.00000002.2967167251.0000000000D84000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io/s	MPGPH131.exe, 00000006.00000002.2965067378.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io/widget/demo/8.46.123.33q	MPGPH131.exe, 00000005.00000002.2965341053.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com:443/demo/home.php?s=8.46.123.33	90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_botisepro_bot	RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll	90ZF1EDs9h.exe, 00000000.00000003.1654226982.0000000004960000.00000004.00001000.00020000.00000000.sdmp, 90ZF1EDs9h.exe, 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1681138634.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1681761352.00000000049E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1788309686.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000003.1867802367.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/riseproF	90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/W&	90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B37000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com/l/.	RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORTz	90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/risepro_botp	RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
104.26.5.15	db-ip.com	United States	13335	CLOUDFLARENETUS	false
77.91.77.66	unknown	Russian Federation	42861	FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1461305
Start date and time:	2024-06-23 18:34:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	90ZF1EDs9h.exe renamed because original name is a hash value
Original Sample Name:	9437d6cf2745f8683c3aa908e01b03cf.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/5@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:35:26	API Interceptor	1155850x Sleep call for process: 90ZF1EDs9h.exe modified
12:35:29	API Interceptor	1968147x Sleep call for process: MPGPH131.exe modified
12:35:39	API Interceptor	1362557x Sleep call for process: RageMP131.exe modified
17:34:58	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
17:34:58	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
17:35:00	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
17:35:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.186.192	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	SecuriteInfo.com.Win32.Evo-gen.24318.16217.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win32.Evo-gen.28489.31883.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	Raptor.HardwareService.Setup 1.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	w.sh	Get hash	malicious	Xmrig	Browse	/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
104.26.5.15	SecuriteInfo.com.Win64.Evo-gen.17494.7440.exe	Get hash	malicious	Unknown	Browse	api.db-ip.com/v2/free/127.0.0.1
	Nemty.exe	Get hash	malicious	Nemty	Browse	api.db-ip.com/v2/free/84.17.52.2/countryName
	227.exe	Get hash	malicious	Nemty	Browse	api.db-ip.com/v2/free/102.129.143.40/countryName
77.91.77.66	Ke5ufWcgxp.exe	Get hash	malicious	RisePro Stealer	Browse
	BqqQh4Jr7L.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	plTAoSCew2.exe	Get hash	malicious	RisePro Stealer	Browse
	7rA1iX60wh.exe	Get hash	malicious	RisePro Stealer	Browse
	PNO3otPYOa.exe	Get hash	malicious	RisePro Stealer	Browse
	YnsEArPlqx.exe	Get hash	malicious	RisePro Stealer	Browse
	AlCsIOd0pd.exe	Get hash	malicious	RisePro Stealer	Browse
	setup.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	bFZYRLnRIz.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer	Browse	34.117.186.192
	4h4b4EWVNU.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	34.117.186.192
	BqqQh4Jr7L.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	PsHQsuTG0H.dll	Get hash	malicious	Unknown	Browse	34.117.186.192
	plTAoSCew2.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	7rA1iX60wh.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	PsHQsuTG0H.dll	Get hash	malicious	Unknown	Browse	34.117.186.192
	PNO3otPYOa.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
db-ip.com	BqqQh4Jr7L.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15
	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15
	http://feedbackreview-id0284892389423.d1o0pnrgaue9g2.amplifyapp.com/index.html	Get hash	malicious	Unknown	Browse	104.26.4.15
	file.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	plTAoSCew2.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	7rA1iX60wh.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15
	PNO3otPYOa.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15
	YnsEArPlqx.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	setup.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	104.26.5.15
	D44CPdpkNk.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	setup.exe	Get hash	malicious	Amadey	Browse	77.91.77.81
	mCTacyNuyM.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	77.91.77.81
	Ke5ufWcgxp.exe	Get hash	malicious	RisePro Stealer	Browse	77.91.77.66
	yWny5Jds8b.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse	77.91.77.81
	file.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SmokeLoader	Browse	77.91.77.81
	BqqQh4Jr7L.exe	Get hash	malicious	RisePro Stealer	Browse	77.91.77.66
	file.exe	Get hash	malicious	RisePro Stealer	Browse	77.91.77.66
	setup.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	77.91.77.81
	setup.exe	Get hash	malicious	Amadey	Browse	77.91.77.81
	It5068xROy.dll	Get hash	malicious	RedLine	Browse	77.91.77.6
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	bFZYRLnRIz.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer	Browse	34.117.186.192
	http://dllavy.wixsite.com/mybt-view/	Get hash	malicious	Unknown	Browse	34.117.60.144
	4h4b4EWVNU.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	34.117.186.192
	BqqQh4Jr7L.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	https://peringatanfb772.wixsite.com/mysite	Get hash	malicious	Unknown	Browse	34.117.60.144
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	PsHQsuTG0H.dll	Get hash	malicious	Unknown	Browse	34.117.186.192
	plTAoSCew2.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	7rA1iX60wh.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
CLOUDFLARENETUS	FieroHack.exe	Get hash	malicious	LummaC, Xmrig	Browse	104.21.49.90
	setup.exe	Get hash	malicious	LummaC	Browse	104.21.89.170
	Extreme injector.exe	Get hash	malicious	LummaC	Browse	104.21.49.90
	SecuriteInfo.com.Win64.DropperX-gen.26552.421.exe	Get hash	malicious	Unknown	Browse	104.26.3.16
	SecuriteInfo.com.Win64.DropperX-gen.26552.421.exe	Get hash	malicious	Unknown	Browse	104.26.3.16
	mCTacyNuyM.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	188.114.97.3
	qEGv2vQa9X.elf	Get hash	malicious	Mirai	Browse	1.14.29.35
	zQ35ev2Uw0.elf	Get hash	malicious	Mirai	Browse	1.14.29.22
	3jeKnZMljk.elf	Get hash	malicious	Mirai	Browse	1.4.15.178
	iDUGkVNndq.elf	Get hash	malicious	Mirai	Browse	1.13.112.146

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	FieroHack.exe	Get hash	malicious	LummaC, Xmrig	Browse	104.26.5.15 34.117.186.192
	setup.exe	Get hash	malicious	LummaC	Browse	104.26.5.15 34.117.186.192
	Extreme injector.exe	Get hash	malicious	LummaC	Browse	104.26.5.15 34.117.186.192
	SecuriteInfo.com.Win64.DropperX-gen.26552.421.exe	Get hash	malicious	Unknown	Browse	104.26.5.15 34.117.186.192
	SecuriteInfo.com.Win64.DropperX-gen.26552.421.exe	Get hash	malicious	Unknown	Browse	104.26.5.15 34.117.186.192
	mCTacyNuyM.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	104.26.5.15 34.117.186.192
	yWny5Jds8b.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse	104.26.5.15 34.117.186.192
	abc.docx	Get hash	malicious	Unknown	Browse	104.26.5.15 34.117.186.192
	bFZYRLnRIz.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer	Browse	104.26.5.15 34.117.186.192
	YNsc5U2Qff.exe	Get hash	malicious	LummaC	Browse	104.26.5.15 34.117.186.192

Process:	C:\Users\user\Desktop\90ZF1EDs9h.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2432512
Entropy (8bit):	7.963848035462459
Encrypted:	false
SSDEEP:	49152:jtkCJbOK+TKeNUXXO08QNPXzhVJGcF6V5sN7sqlvI:hkaOz32XxNPXzwcF8uN7sS
MD5:	9437D6CF2745F8683C3AA908E01B03CF
SHA1:	4B954D00882C8249D11B61440976B2993AE4738A
SHA-256:	D3D0EEAB1A06460ED303B065248DB53D47BFD5C253324B0D2F9EFCC2DC700A47
SHA-512:	8F8EF99107B126D82D5545ED8108FD1ECB6C3B743134766A1C213EE0667CADD1F0F0ADD0A3F2B111D990E45CD2A10480EB2DD44276CC4956F3DBAA5EA46F2F8E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50% Antivirus: Virustotal, Detection: 53%, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....\|........^...........@..........................._.....R.%...@.................................^...r.......8.....................^...............................^..............................6..@................... . ............................@....rsrc...8...........................@....idata ............................@... ..+.........................@...pobzuwwq. ....D.....................@...bxltxemr......^.......$.............@....taggant.0....^.."....$.............@...........................................................................................................................................................................................

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\90ZF1EDs9h.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Download File

Process:	C:\Users\user\Desktop\90ZF1EDs9h.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2432512
Entropy (8bit):	7.963848035462459
Encrypted:	false
SSDEEP:	49152:jtkCJbOK+TKeNUXXO08QNPXzhVJGcF6V5sN7sqlvI:hkaOz32XxNPXzwcF8uN7sS
MD5:	9437D6CF2745F8683C3AA908E01B03CF
SHA1:	4B954D00882C8249D11B61440976B2993AE4738A
SHA-256:	D3D0EEAB1A06460ED303B065248DB53D47BFD5C253324B0D2F9EFCC2DC700A47
SHA-512:	8F8EF99107B126D82D5545ED8108FD1ECB6C3B743134766A1C213EE0667CADD1F0F0ADD0A3F2B111D990E45CD2A10480EB2DD44276CC4956F3DBAA5EA46F2F8E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50% Antivirus: Virustotal, Detection: 53%, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....\|........^...........@..........................._.....R.%...@.................................^...r.......8.....................^...............................^..............................6..@................... . ............................@....rsrc...8...........................@....idata ............................@... ..+.........................@...pobzuwwq. ....D.....................@...bxltxemr......^.......$.............@....taggant.0....^.."....$.............@...........................................................................................................................................................................................

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\90ZF1EDs9h.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Download File

Process:	C:\Users\user\Desktop\90ZF1EDs9h.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	13
Entropy (8bit):	2.565448371820826
Encrypted:	false
SSDEEP:	3:LQ4d:X
MD5:	7640C92C58528DD1D0FD215B3C8CC25A
SHA1:	8AB07336FF3C7903709E417E34F15422F009A63E
SHA-256:	1D49814F62680FAE227628DA18EBC5CAC764B1BABD2DEF8472E02B4AE0E4463D
SHA-512:	B36EA4DDB0DEB9D7B5D4DD931DAB71270BFC880A3557F5432364222B2B18BBB434D5B81E171C8DA3AA68BDDB501BC0CA4F35163CD467E4526BB36ABF10F22DB1
Malicious:	false
Reputation:	low
Preview:	1719165164968

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.963848035462459
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	90ZF1EDs9h.exe
File size:	2'432'512 bytes
MD5:	9437d6cf2745f8683c3aa908e01b03cf
SHA1:	4b954d00882c8249d11b61440976b2993ae4738a
SHA256:	d3d0eeab1a06460ed303b065248db53d47bfd5c253324b0d2f9efcc2dc700a47
SHA512:	8f8ef99107b126d82d5545ed8108fd1ecb6c3b743134766a1c213ee0667cadd1f0f0add0a3f2b111d990e45cd2a10480eb2dd44276cc4956f3dbaa5ea46f2f8e
SSDEEP:	49152:jtkCJbOK+TKeNUXXO08QNPXzhVJGcF6V5sN7sqlvI:hkaOz32XxNPXzwcF8uN7sS
TLSH:	10B53322E936E654FC52253816FA4197E33ADA345E9A7AA17605334F8B77310FFBE004
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

File Icon


Icon Hash:	8596a1a0a1a1b171

Static PE Info

General

Entrypoint:	0x9ed000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x664C6914 [Tue May 21 09:27:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F7374C81B8Ah
paddb mm4, qword ptr [eax+eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F7374C83B85h
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx], al
or al, byte ptr [eax]
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [edx], al
or al, byte ptr [eax]
add byte ptr [edx+ecx], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18c05e	0x72	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18a000	0x1638	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5eb6f8	0x10	pobzuwwq
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5eb6a8	0x18	pobzuwwq
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x18369c	0x40
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x189000	0xab400	2889d39d9afe63d22158841a0070b7f2	False	0.998056854470803	data	7.980016205845924	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x18a000	0x1638	0x1800	fe6f3fdb9e7e97cba92d8ce4e4fcc95b	False	0.7220052083333334	data	6.54017046361188	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x18c000	0x1000	0x200	0e14477ce436cc9ebd87f17a92173639	False	0.1640625	data	1.180504109820196	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x18d000	0x2bd000	0x200	8d1043f3f55c05ca6d9abd5bceaadddc	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
pobzuwwq	0x44a000	0x1a2000	0x1a1800	fef0d23f91621cfcdea52c9493f96f57	False	0.9947049260853293	data	7.953477305499687	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
bxltxemr	0x5ec000	0x1000	0x400	cf8df7fe015740d70b8493e719059a83	False	0.80078125	data	6.2687999848900615	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x5ed000	0x3000	0x2200	f1ae51caf03b7b6be6e749c08b032732	False	0.06410845588235294	DOS executable (COM)	0.772229905710431	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x18a440	0x1060	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia	0.8838263358778626
RT_GROUP_ICON	0x18b4a0	0x14	data	Russian	Russia	1.05
RT_VERSION	0x18a130	0x310	data	Russian	Russia	0.45408163265306123
RT_MANIFEST	0x18b4b8	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/23/24-18:37:04.646362	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49732	58709	192.168.2.4	77.91.77.66
06/23/24-18:37:07.646023	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49731	58709	192.168.2.4	77.91.77.66
06/23/24-18:37:06.583631	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49747	58709	192.168.2.4	77.91.77.66
06/23/24-18:34:58.970157	TCP	2049060	ET TROJAN RisePro TCP Heartbeat Packet	49731	58709	192.168.2.4	77.91.77.66
06/23/24-18:35:36.288691	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49747	77.91.77.66	192.168.2.4
06/23/24-18:37:05.458696	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49735	58709	192.168.2.4	77.91.77.66
06/23/24-18:35:02.465607	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49732	77.91.77.66	192.168.2.4
06/23/24-18:35:21.729696	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49747	77.91.77.66	192.168.2.4
06/23/24-18:34:59.553336	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49731	77.91.77.66	192.168.2.4
06/23/24-18:35:03.603959	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49733	77.91.77.66	192.168.2.4
06/23/24-18:37:04.786800	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49733	58709	192.168.2.4	77.91.77.66
06/23/24-18:35:13.471006	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49735	77.91.77.66	192.168.2.4
06/23/24-18:35:12.390867	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49731	77.91.77.66	192.168.2.4
06/23/24-18:35:13.312009	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49732	77.91.77.66	192.168.2.4
06/23/24-18:35:14.392680	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49733	77.91.77.66	192.168.2.4
06/23/24-18:35:28.664022	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49735	77.91.77.66	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 23, 2024 18:34:58.939028025 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:34:58.944359064 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:34:58.944461107 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:34:58.970156908 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:34:58.975405931 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:34:59.553335905 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:34:59.598020077 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:01.146855116 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:01.152257919 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:01.152337074 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:01.172148943 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:01.179097891 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:02.465606928 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:02.520031929 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:02.676666021 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:02.681879044 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:02.911896944 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:02.918407917 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:02.918668032 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:02.938585043 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:02.949948072 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:03.603959084 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:03.645085096 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:05.600729942 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:05.607413054 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:06.723187923 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:06.728193045 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:12.390866995 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:12.441975117 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:12.493689060 CEST	49734	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:12.493726969 CEST	443	49734	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:12.493788958 CEST	49734	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:12.494719028 CEST	49734	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:12.494730949 CEST	443	49734	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:12.871846914 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:12.877345085 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:12.877439022 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:12.899554968 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:12.905499935 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:12.952986956 CEST	443	49734	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:12.953052044 CEST	49734	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:12.955729008 CEST	49734	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:12.955739021 CEST	443	49734	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:12.955966949 CEST	443	49734	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:12.995399952 CEST	49734	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.036539078 CEST	443	49734	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:13.125442028 CEST	443	49734	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:13.125550985 CEST	443	49734	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:13.125593901 CEST	49734	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.128230095 CEST	49734	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.128248930 CEST	443	49734	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:13.128259897 CEST	49734	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.128264904 CEST	443	49734	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:13.157634974 CEST	49736	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:13.157723904 CEST	443	49736	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:13.158070087 CEST	49736	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:13.158212900 CEST	49736	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:13.158245087 CEST	443	49736	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:13.312009096 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:13.363712072 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:13.401850939 CEST	49738	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.401875973 CEST	443	49738	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:13.401951075 CEST	49738	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.402900934 CEST	49738	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.402909994 CEST	443	49738	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:13.471005917 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:13.519956112 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:13.641647100 CEST	443	49736	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:13.641832113 CEST	49736	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:13.643337011 CEST	49736	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:13.643395901 CEST	443	49736	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:13.643635035 CEST	443	49736	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:13.644740105 CEST	49736	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:13.692588091 CEST	443	49736	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:13.877681017 CEST	443	49736	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:13.877765894 CEST	443	49736	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:13.877938032 CEST	49736	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:13.878024101 CEST	49736	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:13.878024101 CEST	49736	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:13.878098965 CEST	443	49736	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:13.878130913 CEST	443	49736	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:13.878499985 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:13.880835056 CEST	443	49738	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:13.880928040 CEST	49738	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.881979942 CEST	49738	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.881985903 CEST	443	49738	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:13.882201910 CEST	443	49738	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:13.883603096 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:13.926204920 CEST	49738	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.931946039 CEST	49738	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.972539902 CEST	443	49738	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:14.065515995 CEST	443	49738	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:14.065614939 CEST	443	49738	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:14.065699100 CEST	49738	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:14.066260099 CEST	49738	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:14.066277027 CEST	443	49738	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:14.066303968 CEST	49738	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:14.066308975 CEST	443	49738	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:14.068361998 CEST	49740	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:14.068375111 CEST	443	49740	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:14.068470955 CEST	49740	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:14.068757057 CEST	49740	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:14.068767071 CEST	443	49740	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:14.392679930 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:14.441984892 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:14.539515018 CEST	443	49740	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:14.539608002 CEST	49740	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:14.549438000 CEST	49740	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:14.549454927 CEST	443	49740	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:14.549674988 CEST	443	49740	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:14.550885916 CEST	49740	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:14.551362991 CEST	49741	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:14.551450968 CEST	443	49741	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:14.551551104 CEST	49741	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:14.553174973 CEST	49741	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:14.553226948 CEST	443	49741	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:14.596513987 CEST	443	49740	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:14.735122919 CEST	443	49740	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:14.735215902 CEST	443	49740	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:14.735342979 CEST	49740	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:14.735496998 CEST	49740	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:14.735496998 CEST	49740	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:14.735511065 CEST	443	49740	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:14.735518932 CEST	443	49740	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:14.736361027 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:14.741449118 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:15.027765036 CEST	443	49741	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:15.027846098 CEST	49741	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:15.033541918 CEST	49741	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:15.033582926 CEST	443	49741	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:15.033845901 CEST	443	49741	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:15.082695961 CEST	49741	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:15.222057104 CEST	49741	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:15.264548063 CEST	443	49741	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:15.357161999 CEST	443	49741	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:15.357269049 CEST	443	49741	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:15.357356071 CEST	49741	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:15.358289003 CEST	49741	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:15.358289003 CEST	49741	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:15.358357906 CEST	443	49741	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:15.358393908 CEST	443	49741	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:15.360291958 CEST	49744	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:15.360335112 CEST	443	49744	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:15.360414028 CEST	49744	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:15.360716105 CEST	49744	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:15.360737085 CEST	443	49744	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:15.833093882 CEST	443	49744	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:15.833230972 CEST	49744	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:15.835309982 CEST	49744	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:15.835370064 CEST	443	49744	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:15.835608959 CEST	443	49744	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:15.842025995 CEST	49744	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:15.884572983 CEST	443	49744	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:16.018692017 CEST	443	49744	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:16.018981934 CEST	443	49744	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:16.019192934 CEST	49744	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:16.019192934 CEST	49744	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:16.019192934 CEST	49744	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:16.019500017 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:16.024492025 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:16.316981077 CEST	49744	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:16.317047119 CEST	443	49744	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:16.599487066 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:16.604655027 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:20.868304968 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:20.875525951 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:20.875688076 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:20.894154072 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:20.899358988 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:21.729696035 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:21.785727978 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:24.848390102 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:24.855691910 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:25.808855057 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:25.863987923 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:26.038768053 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:26.082534075 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:26.221426010 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:26.270159960 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:28.664021969 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:28.707535028 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:28.775810003 CEST	49748	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:28.775901079 CEST	443	49748	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:28.775986910 CEST	49748	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:28.776850939 CEST	49748	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:28.776876926 CEST	443	49748	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:29.249680996 CEST	443	49748	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:29.249789953 CEST	49748	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:29.250977039 CEST	49748	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:29.251008987 CEST	443	49748	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:29.251353025 CEST	443	49748	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:29.301275015 CEST	49748	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:29.304995060 CEST	49748	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:29.348584890 CEST	443	49748	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:29.436757088 CEST	443	49748	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:29.436899900 CEST	443	49748	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:29.436965942 CEST	49748	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:29.437676907 CEST	49748	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:29.437721968 CEST	443	49748	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:29.437751055 CEST	49748	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:29.437767029 CEST	443	49748	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:29.439748049 CEST	49749	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:29.439837933 CEST	443	49749	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:29.439920902 CEST	49749	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:29.440191031 CEST	49749	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:29.440217972 CEST	443	49749	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:29.921181917 CEST	443	49749	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:29.921413898 CEST	49749	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:29.922535896 CEST	49749	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:29.922629118 CEST	443	49749	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:29.922993898 CEST	443	49749	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:29.924138069 CEST	49749	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:29.964550018 CEST	443	49749	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:30.104144096 CEST	443	49749	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:30.104262114 CEST	443	49749	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:30.104345083 CEST	49749	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:30.104547024 CEST	49749	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:30.104604959 CEST	443	49749	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:30.104645014 CEST	49749	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:30.104661942 CEST	443	49749	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:30.104799032 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:30.109746933 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:32.067198038 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:32.072654009 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:32.827420950 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:32.879416943 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:35.426471949 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:35.434161901 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:35.598685026 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:35.604379892 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:36.288691044 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:36.332581997 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:36.405381918 CEST	49750	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:36.405467987 CEST	443	49750	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:36.405548096 CEST	49750	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:36.406512022 CEST	49750	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:36.406552076 CEST	443	49750	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:36.870301008 CEST	443	49750	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:36.870533943 CEST	49750	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:36.873888969 CEST	49750	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:36.873945951 CEST	443	49750	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:36.874315977 CEST	443	49750	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:36.915782928 CEST	49750	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:36.960587025 CEST	443	49750	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:37.044912100 CEST	443	49750	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:37.045202971 CEST	443	49750	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:37.045454979 CEST	49750	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:37.045454979 CEST	49750	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:37.045454979 CEST	49750	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:37.047142982 CEST	49751	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:37.047256947 CEST	443	49751	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:37.047334909 CEST	49751	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:37.047584057 CEST	49751	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:37.047621965 CEST	443	49751	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:37.348263025 CEST	49750	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:37.348328114 CEST	443	49750	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:37.721832037 CEST	443	49751	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:37.721927881 CEST	49751	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:37.723264933 CEST	49751	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:37.723303080 CEST	443	49751	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:37.723639011 CEST	443	49751	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:37.724754095 CEST	49751	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:37.772495985 CEST	443	49751	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:37.900257111 CEST	443	49751	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:37.900552034 CEST	443	49751	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:37.900624990 CEST	49751	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:37.900702000 CEST	49751	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:37.900751114 CEST	443	49751	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:37.900799990 CEST	49751	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:37.900815964 CEST	443	49751	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:37.900995016 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:37.906968117 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:38.332878113 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:38.338552952 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:41.457818985 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:41.676461935 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:41.693837881 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:41.879678011 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:41.988967896 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:42.004471064 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:42.191961050 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:42.349049091 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:42.349560976 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:42.349634886 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:42.349674940 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:42.349731922 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:42.351248980 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:42.351279020 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:42.351306915 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:42.351339102 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:42.351366997 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:42.351398945 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:42.351439953 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:44.371795893 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:44.426351070 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:44.442219973 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:44.447124004 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:45.020314932 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:45.025675058 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:45.348522902 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:45.353976011 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:47.410583973 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:47.457608938 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:47.489289045 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:47.504838943 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:47.638755083 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:47.639239073 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:48.145483971 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:48.150768042 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:48.236190081 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:48.285854101 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:48.285972118 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:48.291534901 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:49.208529949 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:49.254482031 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:49.336169958 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:49.379503012 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:49.469643116 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:49.520140886 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:51.614125967 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:51.619298935 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:51.736634016 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:51.770386934 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:51.775435925 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:52.332884073 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:52.338912964 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:52.473480940 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:52.480582952 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:52.582792044 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:52.587893009 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:53.586498976 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:53.629563093 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:53.676635027 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:53.681626081 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:54.864085913 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:54.869389057 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:55.473392963 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:55.478650093 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:55.598534107 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:55.606103897 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:55.708446980 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:55.715094090 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:56.707835913 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:56.713270903 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:57.989167929 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:57.994687080 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:58.614278078 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:58.619864941 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:58.739018917 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:58.744657993 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:58.839248896 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:58.844578028 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:00.045552015 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:00.098261118 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:01.129982948 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:01.135159016 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:01.636744976 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:01.848262072 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:01.958117962 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:01.963093042 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:02.062897921 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:02.113991976 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:02.973634958 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:02.979120016 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:03.161379099 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:03.249124050 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:03.249744892 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:03.317265987 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:03.317338943 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:04.771620035 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:04.776926994 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:05.223829031 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:05.228847980 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:06.098754883 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:06.103771925 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:06.286355019 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:06.291388035 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:06.364468098 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:06.369788885 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:07.157258987 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:07.255112886 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:07.260281086 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:07.895575047 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:07.900929928 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:08.349034071 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:08.354177952 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:09.426862955 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:09.431888103 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:09.489721060 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:09.494760036 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:10.286386013 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:10.305349112 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:11.020863056 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:11.026087999 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:11.284737110 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:11.332681894 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:11.489408970 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:11.500243902 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:12.097340107 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:12.145173073 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:12.568563938 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:12.573581934 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:14.145618916 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:14.151154041 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:14.427030087 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:14.432101011 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:14.631315947 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:14.636296034 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:15.239362001 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:15.244395018 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:15.692759037 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:15.697943926 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:17.271881104 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:17.277091980 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:17.552079916 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:17.557306051 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:17.573442936 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:17.645200968 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:17.755362988 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:17.760474920 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:18.297748089 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:18.489083052 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:18.571548939 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:18.645210981 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:18.645979881 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:18.650908947 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:18.743520021 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:18.879582882 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:20.507417917 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:20.511279106 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:20.516568899 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:20.708579063 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:20.713711023 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:21.411884069 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:21.417385101 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:21.692819118 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:21.701765060 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:21.865894079 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:21.874464035 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:23.630383015 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:23.635519981 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:23.741945982 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:23.786973000 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:24.502542019 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:24.551980019 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:24.556873083 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:24.646425962 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:24.759926081 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:24.826591015 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:24.991167068 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:25.935925961 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:25.981652975 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:26.880310059 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:26.885363102 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:27.630398989 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:27.635535002 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:27.770886898 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:27.776096106 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:27.942915916 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:27.949517965 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:29.069511890 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:29.075340986 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:29.835297108 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:29.988996029 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:29.992683887 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:30.020941019 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:30.025821924 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:30.137871027 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:30.145267963 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:30.208794117 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:30.219950914 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:31.341242075 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:31.535871983 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.291187048 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.291239023 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.291273117 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.291299105 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.291559935 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.291613102 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.291677952 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.291708946 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.291749001 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.292047977 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.292077065 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.292109013 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.292119026 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.292176008 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.292217970 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.292265892 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.292444944 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.292496920 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.292543888 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.292748928 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.292795897 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.292989969 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.293019056 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.293061972 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.293138981 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.296154022 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.296202898 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.296260118 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.348357916 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.408762932 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.408880949 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.408962011 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.408977985 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.409091949 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.409125090 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.409135103 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.409157038 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.409207106 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.442780018 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.447626114 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.974072933 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.979515076 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:33.114697933 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:33.119645119 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:33.255448103 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:33.261111975 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:34.458523035 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:34.464775085 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:35.567934036 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:35.572979927 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:36.098906040 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:36.104110956 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:36.255362034 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:36.260251045 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:36.395792961 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:36.400655031 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:36.625050068 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:36.676528931 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:36.879581928 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:37.016875029 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:37.156642914 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:37.285993099 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:37.599044085 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:37.604120016 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:38.710453033 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:38.715574980 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:38.920219898 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:39.145267963 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:39.697488070 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:39.742943048 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:39.748100042 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:39.788479090 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:40.021107912 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:40.026454926 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:40.286501884 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:40.528534889 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:42.052409887 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:42.057467937 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:42.821286917 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:42.826402903 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:42.864723921 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:42.870469093 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:43.162338018 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:43.167712927 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:43.427160025 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:43.432353973 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:45.192955971 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:45.198065042 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:45.721152067 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:45.785928011 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:45.861783981 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:45.948628902 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:45.955468893 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:46.019632101 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:46.035928011 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:46.176528931 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:46.687335014 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:46.848419905 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:47.774614096 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:47.848429918 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:48.849133968 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:48.854142904 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:48.989753008 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:48.994721889 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:49.146194935 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:49.151087046 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:49.802202940 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:49.807547092 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:50.911817074 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:50.916995049 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:51.973957062 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:51.978939056 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:52.136207104 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:52.142293930 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:52.273390055 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:52.278467894 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:52.927182913 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:52.932044029 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:54.036406994 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:54.041385889 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:55.099309921 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:55.105591059 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:55.255364895 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:55.260418892 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:55.395852089 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:55.400779963 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:56.052212000 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:56.057085991 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:57.177198887 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:57.182192087 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:58.240009069 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:58.244925976 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:58.380453110 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:58.385426998 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:58.521096945 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:58.526997089 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:59.194861889 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:59.199800968 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:00.317905903 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:00.322900057 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:01.364969969 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:01.370029926 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:01.520993948 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:01.526114941 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:01.661699057 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:01.666558027 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:02.317768097 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:02.323278904 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:03.458442926 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:03.463998079 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:04.505218983 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:04.510317087 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:04.646362066 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:04.653469086 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:04.786799908 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:04.791894913 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:05.458695889 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:05.463727951 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:06.583631039 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:06.588677883 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:07.646023035 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:07.693927050 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:21.831301928 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:21.879781961 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:21.962130070 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:22.004802942 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:25.489065886 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:25.536147118 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:38.076787949 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:38.129846096 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:41.195319891 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:41.239217997 CEST	49747	58709	192.168.2.4	77.91.77.66

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 23, 2024 18:35:12.481183052 CEST	49186	53	192.168.2.4	1.1.1.1
Jun 23, 2024 18:35:12.489104033 CEST	53	49186	1.1.1.1	192.168.2.4
Jun 23, 2024 18:35:13.138309002 CEST	62782	53	192.168.2.4	1.1.1.1
Jun 23, 2024 18:35:13.150125027 CEST	53	62782	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 23, 2024 18:35:12.481183052 CEST	192.168.2.4	1.1.1.1	0x45e	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Jun 23, 2024 18:35:13.138309002 CEST	192.168.2.4	1.1.1.1	0xa6f6	Standard query (0)	db-ip.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jun 23, 2024 18:35:12.489104033 CEST	1.1.1.1	192.168.2.4	0x45e	No error (0)	ipinfo.io	34.117.186.192	A (IP address)	IN (0x0001)	false
Jun 23, 2024 18:35:13.150125027 CEST	1.1.1.1	192.168.2.4	0xa6f6	No error (0)	db-ip.com	104.26.5.15	A (IP address)	IN (0x0001)	false
Jun 23, 2024 18:35:13.150125027 CEST	1.1.1.1	192.168.2.4	0xa6f6	No error (0)	db-ip.com	172.67.75.166	A (IP address)	IN (0x0001)	false
Jun 23, 2024 18:35:13.150125027 CEST	1.1.1.1	192.168.2.4	0xa6f6	No error (0)	db-ip.com	104.26.4.15	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipinfo.io

https:

db-ip.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.4	49730	34.117.186.192	443

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:34:50 UTC	59	OUT	GET / HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
2024-06-23 16:34:51 UTC	513	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Sun, 23 Jun 2024 16:34:50 GMT content-type: application/json; charset=utf-8 Content-Length: 319 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 1 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-23 16:34:51 UTC	319	IN	Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 Data Ascii: { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	34.117.186.192	443	7300	C:\Users\user\Desktop\90ZF1EDs9h.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:35:12 UTC	236	OUT	GET /widget/demo/8.46.123.33 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-06-23 16:35:13 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Sun, 23 Jun 2024 16:35:13 GMT content-type: application/json; charset=utf-8 Content-Length: 1025 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 1 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-23 16:35:13 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
2024-06-23 16:35:13 UTC	149	IN	Data Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49736	104.26.5.15	443	7300	C:\Users\user\Desktop\90ZF1EDs9h.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:35:13 UTC	260	OUT	GET /demo/home.php?s=8.46.123.33 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-06-23 16:35:13 UTC	653	IN	HTTP/1.1 200 OK Date: Sun, 23 Jun 2024 16:35:13 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: A29E3ED6:900A_93878F2E:0050_66784EC1_155994E6:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xm42o233PGoiYqNPbeDEmw1KzLE46Hg9jie7rP9W63eZPHubQ9cbKRz6x%2FIVOOcs7PXeUKESlpgxYVT21M2ofrtxOdeVPaH7lFqI8MxxFo6K5K%2F2RctEckFJxA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8985e3dacf640cb1-EWR alt-svc: h3=":443"; ma=86400
2024-06-23 16:35:13 UTC	673	IN	Data Raw: 32 39 61 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a 5b Data Ascii: 29a{"status":"ok","demoInfo":{"ipAddress":"8.46.123.33","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":[
2024-06-23 16:35:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49738	34.117.186.192	443	7552	C:\ProgramData\MPGPH131\MPGPH131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:35:13 UTC	236	OUT	GET /widget/demo/8.46.123.33 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-06-23 16:35:14 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Sun, 23 Jun 2024 16:35:14 GMT content-type: application/json; charset=utf-8 Content-Length: 1025 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 1 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-23 16:35:14 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
2024-06-23 16:35:14 UTC	149	IN	Data Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	104.26.5.15	443	7552	C:\ProgramData\MPGPH131\MPGPH131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:35:14 UTC	260	OUT	GET /demo/home.php?s=8.46.123.33 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-06-23 16:35:14 UTC	657	IN	HTTP/1.1 200 OK Date: Sun, 23 Jun 2024 16:35:14 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: A29E9E84:FE64_93878F2E:0050_66784EC2_15463888:7B63 x-iplb-instance: 59128 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VX%2F53%2FExKpJbt%2FDl8GcBT%2FYb0wS4c7etLwwBhhadIQ2ej9xLr5Lbe7KD85UIWd238eLIJC9R8uJ7HJGuTaAYW2l3JSV7kZT29in4mTjwUtdjdAv1gn3gR0IVQg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8985e3e059d841e7-EWR alt-svc: h3=":443"; ma=86400
2024-06-23 16:35:14 UTC	673	IN	Data Raw: 32 39 61 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a 5b Data Ascii: 29a{"status":"ok","demoInfo":{"ipAddress":"8.46.123.33","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":[
2024-06-23 16:35:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	34.117.186.192	443	7560	C:\ProgramData\MPGPH131\MPGPH131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:35:15 UTC	236	OUT	GET /widget/demo/8.46.123.33 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-06-23 16:35:15 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Sun, 23 Jun 2024 16:35:15 GMT content-type: application/json; charset=utf-8 Content-Length: 1025 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-23 16:35:15 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
2024-06-23 16:35:15 UTC	149	IN	Data Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49744	104.26.5.15	443	7560	C:\ProgramData\MPGPH131\MPGPH131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:35:15 UTC	260	OUT	GET /demo/home.php?s=8.46.123.33 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-06-23 16:35:16 UTC	653	IN	HTTP/1.1 200 OK Date: Sun, 23 Jun 2024 16:35:15 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: A29E9F5A:FA86_93878F2E:0050_66784EC3_154638BC:7B63 x-iplb-instance: 59128 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wexhpaynyoTQZn8cPI8zsoIB1sE18yK86UzG4ZGtfFQzAWa3une9uGAknVec%2Bhe6pChyy%2FX9lOu2d1TWHnW3g5xqQtM4KlXRyOY518HRgu1pru9QdxBfeCe9dw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8985e3e86cf442c8-EWR alt-svc: h3=":443"; ma=86400
2024-06-23 16:35:16 UTC	673	IN	Data Raw: 32 39 61 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a 5b Data Ascii: 29a{"status":"ok","demoInfo":{"ipAddress":"8.46.123.33","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":[
2024-06-23 16:35:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49748	34.117.186.192	443	7872	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:35:29 UTC	236	OUT	GET /widget/demo/8.46.123.33 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-06-23 16:35:29 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Sun, 23 Jun 2024 16:35:29 GMT content-type: application/json; charset=utf-8 Content-Length: 1025 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 3 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-23 16:35:29 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
2024-06-23 16:35:29 UTC	149	IN	Data Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49749	104.26.5.15	443	7872	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:35:29 UTC	260	OUT	GET /demo/home.php?s=8.46.123.33 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-06-23 16:35:30 UTC	651	IN	HTTP/1.1 200 OK Date: Sun, 23 Jun 2024 16:35:30 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC466F13:4440_93878F2E:0050_66784ED2_15599765:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c4HM3UaCos119s2VL6Z2CHKy9vu935mDuAsTjMR6wavCGdmRNzLYc5Rv0aV%2B28cnskYzgW3oE9FvQPLrNXZW5d8bGNe9ms7shcXyAE0GJC56FGJxJdWo0YAChw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8985e4409eadc47a-EWR alt-svc: h3=":443"; ma=86400
2024-06-23 16:35:30 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-06-23 16:35:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49750	34.117.186.192	443	7132	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:35:36 UTC	236	OUT	GET /widget/demo/8.46.123.33 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-06-23 16:35:37 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Sun, 23 Jun 2024 16:35:36 GMT content-type: application/json; charset=utf-8 Content-Length: 1025 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 3 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-23 16:35:37 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
2024-06-23 16:35:37 UTC	149	IN	Data Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49751	104.26.5.15	443	7132	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:35:37 UTC	260	OUT	GET /demo/home.php?s=8.46.123.33 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-06-23 16:35:37 UTC	659	IN	HTTP/1.1 200 OK Date: Sun, 23 Jun 2024 16:35:37 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC466F96:51E2_93878F2E:0050_66784ED9_155998AB:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wJAZ%2BL8vpx2O7Cw1J7y2XPAAZzaU5R5VmIKQKMUaiK4Q6gHdy2GQP3yvFjSgiOHbfHC5wKTxM%2BUwWUpYa%2Fz0C%2BvhxN3YEY6tn5tTqsSlJW%2B2KhKANevaDv4rbg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8985e47159d31921-EWR alt-svc: h3=":443"; ma=86400
2024-06-23 16:35:37 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-06-23 16:35:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	12:34:55
Start date:	23/06/2024
Path:	C:\Users\user\Desktop\90ZF1EDs9h.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\90ZF1EDs9h.exe"
Imagebase:	0x40000
File size:	2'432'512 bytes
MD5 hash:	9437D6CF2745F8683C3AA908E01B03CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	12:34:58
Start date:	23/06/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0x7e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:34:58
Start date:	23/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:34:58
Start date:	23/06/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Imagebase:	0x7e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:34:58
Start date:	23/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:34:58
Start date:	23/06/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x190000
File size:	2'432'512 bytes
MD5 hash:	9437D6CF2745F8683C3AA908E01B03CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 50%, ReversingLabs Detection: 53%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	12:34:58
Start date:	23/06/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x190000
File size:	2'432'512 bytes
MD5 hash:	9437D6CF2745F8683C3AA908E01B03CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	12:35:08
Start date:	23/06/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x3e0000
File size:	2'432'512 bytes
MD5 hash:	9437D6CF2745F8683C3AA908E01B03CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 50%, ReversingLabs Detection: 53%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	12:35:17
Start date:	23/06/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x3e0000
File size:	2'432'512 bytes
MD5 hash:	9437D6CF2745F8683C3AA908E01B03CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0.5%
Signature Coverage:	2.6%
Total number of Nodes:	1822
Total number of Limit Nodes:	26

Executed Functions

Function 00049280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0018D15C,00000000,74D723A0,-001C9880), ref: 000496C9

Strings

Ws2_32.dll, xrefs: 0004969A

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID: Send
String ID: Ws2_32.dll
API String ID: 121738739-3093949381
Opcode ID: a4a2fd2944bafc0f22d7fc12635688d82f9059a89c36c61644f7358b3fc14581
Instruction ID: a9470d7aa7b29b553c153853f734b3d7c7ab4afbd65823d2d47a83fd670db753
Opcode Fuzzy Hash: a4a2fd2944bafc0f22d7fc12635688d82f9059a89c36c61644f7358b3fc14581
Instruction Fuzzy Hash: 6602FEB0D04298DFDF24CFA4C8907ADBBB0EF55304F2442ADE4856B286D7741A86CF96

Function 04BC0728 Relevance: 1.7, APIs: 1, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000F671), ref: 04BC08DB

Memory Dump Source

Source File: 00000000.00000002.2973286707.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bc0000_90ZF1EDs9h.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 6a8bab0f4e8ab22fe7e13ec41d69dafe62d82dd5475b0f348f1f38349df15119
Instruction ID: 72c06ce309c36ab7bfebb4719511ac28370138bec3212765c492dc20ad379021
Opcode Fuzzy Hash: 6a8bab0f4e8ab22fe7e13ec41d69dafe62d82dd5475b0f348f1f38349df15119
Instruction Fuzzy Hash: 15412DFB24C211BDB50291866F90EFB676DD5D2B70731C86BF843C2506E3D85E4A6532

Function 00107B00 Relevance: 16.8, APIs: 11, Instructions: 284
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(00000434,0000FFFF,00001006,?,00000008), ref: 00107BA7
recv.WS2_32(?,00000004,00000002), ref: 00107BC1
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00107C43
recv.WS2_32(00000000,0000000C,00000008), ref: 00107C64
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?,00000000), ref: 00107D01

Part of subcall function 00108590: WSAStartup.WS2_32 ref: 001085BA
Part of subcall function 00108590: socket.WS2_32(?,?,?,?,?,?,001C9328,?,?), ref: 0010865E
Part of subcall function 00108590: connect.WS2_32(00000000,00199BFC,?,?,?,?,001C9328,?,?), ref: 00108672
Part of subcall function 00108590: closesocket.WS2_32(00000000), ref: 0010867D

recv.WS2_32(00000000,?,00000008), ref: 00107D1B
recv.WS2_32(?,00000004,00000008), ref: 00107E23
__Xtime_get_ticks.LIBCPMT ref: 00107E2A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00107E38
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00107EB1
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00107EB9

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID: recv$Sleepsetsockopt$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsocket
String ID:
API String ID: 301102601-0
Opcode ID: 121e46e33c4ecb12b29aadedb48de41867493272cc10d85b467a8e088d550c2f
Instruction ID: bc941a876637e00b4d20b6258cbba69a7745fbea31fcecf70c5b8d0d71abcdab
Opcode Fuzzy Hash: 121e46e33c4ecb12b29aadedb48de41867493272cc10d85b467a8e088d550c2f
Instruction Fuzzy Hash: F3B1AFB0D04348DFEB10DBA4CD49BADBFB1BB45300F204259E494AB6D2D7B5AD84CB91

Function 00108590 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 001085BA
socket.WS2_32(?,?,?,?,?,?,001C9328,?,?), ref: 0010865E
connect.WS2_32(00000000,00199BFC,?,?,?,?,001C9328,?,?), ref: 00108672
closesocket.WS2_32(00000000), ref: 0010867D

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: ee81b9fed91e043f0b1a4ec7f11a3d9d8dc7c0e7c93af88d0f7ca583714be5ad
Instruction ID: 4bb73c6c782b7321c803c80d202d87552235598944838a34c30c6a24f8179bb9
Opcode Fuzzy Hash: ee81b9fed91e043f0b1a4ec7f11a3d9d8dc7c0e7c93af88d0f7ca583714be5ad
Instruction Fuzzy Hash: BE3137726043405BD7209F24CC4466BB7E9FFC6334F050F1AF9E8A22D0D7B1980486A3

Function 04BC0770 Relevance: 1.7, APIs: 1, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000F671), ref: 04BC08DB

Memory Dump Source

Source File: 00000000.00000002.2973286707.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bc0000_90ZF1EDs9h.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: ca0f2bcc49bdd88302fca6cbce53d9a8f80b8044e3b76a433aedf9907e5aa1a1
Instruction ID: 39a28a7b3b5b1db26242466ee1f20ba1a1743d3be440a15b8a29b076a275cfe1
Opcode Fuzzy Hash: ca0f2bcc49bdd88302fca6cbce53d9a8f80b8044e3b76a433aedf9907e5aa1a1
Instruction Fuzzy Hash: ED415DFB24C221BDB50291862F90EFB676DE6D6B70731C47BF442C2506E2D45A4A6531

Function 04BC0759 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000F671), ref: 04BC08DB

Memory Dump Source

Source File: 00000000.00000002.2973286707.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bc0000_90ZF1EDs9h.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 2de7a9a1b0234a9112b9e6bb5606aa8d7a00238493f6f3f2dc4a362fbea7e42a
Instruction ID: 1c9a41b4610a114f278086cd5e4190e9c75dc52591f334705e57158b7a8be038
Opcode Fuzzy Hash: 2de7a9a1b0234a9112b9e6bb5606aa8d7a00238493f6f3f2dc4a362fbea7e42a
Instruction Fuzzy Hash: 99414FFB34C111BDB50291962F94EFB676DD5D6770731C46BF442C2106E3D45E4A6431

Function 00089789 Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0008990E

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 476579008cebdaf1d85365e1f2b4743e0dbd684ad87138b29b507cfd0ce00100
Instruction ID: 8eba6bd4dc0721b4aa5bf02f82bc77f7dfc10399695a59e44f35bc2efa32c11f
Opcode Fuzzy Hash: 476579008cebdaf1d85365e1f2b4743e0dbd684ad87138b29b507cfd0ce00100
Instruction Fuzzy Hash: 18619F71D0411AAFDF11BFA8C884AFEBBF9BF49304F180149E980A7246D732D951CBA0

Function 04BC078A Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000F671), ref: 04BC08DB

Memory Dump Source

Source File: 00000000.00000002.2973286707.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bc0000_90ZF1EDs9h.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 40936b771908716129534c01b480dde5ac758d3c2061290719dc2fc1c9815848
Instruction ID: bb8b7aee6046bfbfe0caf351f9ac9dcd334aac99f28a61acad66f9bb67562dd6
Opcode Fuzzy Hash: 40936b771908716129534c01b480dde5ac758d3c2061290719dc2fc1c9815848
Instruction Fuzzy Hash: E7314AFB24C221BCB50291862FA0EFB57ADD6D6B30731C87BF842C2106E2D45E8A6131

Function 04BC07E9 Relevance: 1.7, APIs: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000F671), ref: 04BC08DB

Memory Dump Source

Source File: 00000000.00000002.2973286707.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bc0000_90ZF1EDs9h.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 8f748c87b762ed6b5797f067111037030593df1d72d09cf201a988d3f5dbd78c
Instruction ID: 8f5a8661c358611a2e2af236da229709ab3e830a10fc6be3a32c6339787850d4
Opcode Fuzzy Hash: 8f748c87b762ed6b5797f067111037030593df1d72d09cf201a988d3f5dbd78c
Instruction Fuzzy Hash: B7314BFB20C221BCB60190862FA4EFB576DE6D1B70B31C4BBF842C2106E2D45E8D6131

Function 04BC0890 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000F671), ref: 04BC08DB

Memory Dump Source

Source File: 00000000.00000002.2973286707.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bc0000_90ZF1EDs9h.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b27a8beed830b74c1dd8a66f46e46c4220017072c4cc485c46b6fa5f9bb3232e
Instruction ID: 3909b09f8cc3d235478229106e8b37070f09d6134649de51802ee3ed6e5596b0
Opcode Fuzzy Hash: b27a8beed830b74c1dd8a66f46e46c4220017072c4cc485c46b6fa5f9bb3232e
Instruction Fuzzy Hash: ED21A0FB30C211ADB601E5852BA4EFB676DE6D1B30731C8AFF442C2046F290AA4E6471

Function 04BC0836 Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000F671), ref: 04BC08DB

Memory Dump Source

Source File: 00000000.00000002.2973286707.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bc0000_90ZF1EDs9h.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 306dbade461522083f74229d60aac6a3c029a7023ec106c88fd3e58abc4f5b48
Instruction ID: 472dea23c53cdcde354c08267c91c09ee17925f99acf02015f5610a10ef7d90c
Opcode Fuzzy Hash: 306dbade461522083f74229d60aac6a3c029a7023ec106c88fd3e58abc4f5b48
Instruction Fuzzy Hash: A3114AFB20C121ADB602D1966FA0EFB576CE6D5B3073188BBF543C2046E2D46A896531

Function 04BC085D Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000F671), ref: 04BC08DB

Memory Dump Source

Source File: 00000000.00000002.2973286707.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bc0000_90ZF1EDs9h.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: da47f3e9297747cba8c10b5e559ec80d54d84a9493d8d0487989a8491f6d471b
Instruction ID: c7d6d73764204360222a31229d017d621b80aad1a604d9545820ef6005bc1826
Opcode Fuzzy Hash: da47f3e9297747cba8c10b5e559ec80d54d84a9493d8d0487989a8491f6d471b
Instruction Fuzzy Hash: 02115BFB60C121BDB60291866F94EFA677CE6D5B3073188AFF942C2005F3A46A496531

Function 04BC08C7 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000F671), ref: 04BC08DB

Memory Dump Source

Source File: 00000000.00000002.2973286707.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bc0000_90ZF1EDs9h.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 3159371ebe900dc21d0bc75c499ea95f3207f469b51f9a5d0e2f487728835ce0
Instruction ID: 0b277d03832638ae0edde5e253d5305cbe5aed3e8b332ff14f4eb0a20c3f022b
Opcode Fuzzy Hash: 3159371ebe900dc21d0bc75c499ea95f3207f469b51f9a5d0e2f487728835ce0
Instruction Fuzzy Hash: 2601ADFB30C112ADB60195962BA0FFA67BDE6D5B3077188ABF942C6006E3D06A4D6531

Function 00088DFF Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00088CE6,00000000,?,001BA178,0000000C,00088DA2,?,?,?), ref: 00088E55

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d267c85e84cc2aa3d95cdf9b47bdd62cf0471f83cc06e2c88b7fadbc081f3980
Instruction ID: e8a623725f96653b342bc85000e0e31a2324b5fdf81a08d656d9f88ce618d40b
Opcode Fuzzy Hash: d267c85e84cc2aa3d95cdf9b47bdd62cf0471f83cc06e2c88b7fadbc081f3980
Instruction Fuzzy Hash: 8111AB3360516416C6A03234AC85BBE2BC96B83738F684699F9C88B0C3DFB0CC824359

Function 0008251C Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00082626,?,?,?,?,?), ref: 00082558

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ecb316e5aa332a764089ad01330399352794391211d4e6b67153f652fd41ec73
Instruction ID: b14febf1e2efe8b061a6068e58a926df1508ac8d214211ac4a2e8de14ddf4da9
Opcode Fuzzy Hash: ecb316e5aa332a764089ad01330399352794391211d4e6b67153f652fd41ec73
Instruction Fuzzy Hash: 7A012632640645AFCF19EF68CC11C9E3B69EF85330B340148F8909B2A1EA71ED818B94

Function 000432D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0004331F

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction ID: 7ad16dac2deb31805d31c646f93367d19d41169be7b9d0c557f8f890376c0e71
Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction Fuzzy Hash: ECF0B4B25001049BEB186F64D8194EAB3E8DF24366750497AF88DC7213EB2ADB4087D8

Function 0008A65A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001,?,00089FE0,00000001,00000364,00000001,00000006,000000FF,?,00074B3F,?,?,74D723A0,?), ref: 0008A69B

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 220ea1035828c05dc4b8bd5aca1cbcbb0259e8549d38e1ca454fd251474d76d6
Instruction ID: 939de52cfe6f8fd1e489fdbb7d4cc75bd289420cad3684b8520411161cc8cb25
Opcode Fuzzy Hash: 220ea1035828c05dc4b8bd5aca1cbcbb0259e8549d38e1ca454fd251474d76d6
Instruction Fuzzy Hash: 4FF0B4327115306ABB617A619C05B9A778DBF42770F1D8123A8C4E6888EA30EC2147A6

Function 0008B094 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00074B3F,?,?,74D723A0,?,?,00043522,?,?), ref: 0008B0C7

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d0a5d34fa3011a2584c7cb72ebd846371200d84db38949d35ace9dd61c666bb1
Instruction ID: bcef45653f7d7cfe41d7a2ba3c364cfcf1e8a99e218e67eaa0baf07e16bb381c
Opcode Fuzzy Hash: d0a5d34fa3011a2584c7cb72ebd846371200d84db38949d35ace9dd61c666bb1
Instruction Fuzzy Hash: 14E06D312016256AEAB136A59C11B9F768DBF423B1F594320ACE4A65C2DB24CC118BA5

Function 04BD0096 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2973367528.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bd0000_90ZF1EDs9h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04acb0da247ce7a859f5b2fe37aad160ab42c2b7b9f77b0674bc35a8f0b1a807
Instruction ID: 0ad92e7e057fecc2dd9db5dc3edac12d8e10d8aceeae958c1168089258903fa3
Opcode Fuzzy Hash: 04acb0da247ce7a859f5b2fe37aad160ab42c2b7b9f77b0674bc35a8f0b1a807
Instruction Fuzzy Hash: E9115CE770C150BEE20265602D15AFB2F28EAD673DB3088E7F046D6102F1886A1A6271

Function 04BD007A Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2973367528.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bd0000_90ZF1EDs9h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c616a55b791b6a4c3be043e9750f51476d470820ee96d54326f0f04c057a1908
Instruction ID: 075e00a93a216be53fa06a0066228a144f93b86488a677112236664449225400
Opcode Fuzzy Hash: c616a55b791b6a4c3be043e9750f51476d470820ee96d54326f0f04c057a1908
Instruction Fuzzy Hash: 90018CEB34C110BEB102A9916A14EFB6B2DE5DA738B3088EBF842D5102F2991E5D7131

Function 04BD00CC Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2973367528.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bd0000_90ZF1EDs9h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f8dc51b2fdf56ed225a381b8e3de103cc2a79e92e07a74abc9850365b19830d
Instruction ID: 0a250ee456de7c7dd6a645503bf5beb7ca190aa26a0bb63ad851d9a33d40476f
Opcode Fuzzy Hash: 3f8dc51b2fdf56ed225a381b8e3de103cc2a79e92e07a74abc9850365b19830d
Instruction Fuzzy Hash: DE0147B720C260AFA206AD6129159FB7B69EAD633477084FFF042C7102F20A1A6D7231

Function 04BD00FC Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2973367528.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bd0000_90ZF1EDs9h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e640314141b4128fc6cf5b26261c32110df8295150ee5fad2ebd546187443faf
Instruction ID: a9b62fbbb7e4aa6f25e409d2118fff8baf9d8a9c3f391411fc120244f28c822e
Opcode Fuzzy Hash: e640314141b4128fc6cf5b26261c32110df8295150ee5fad2ebd546187443faf
Instruction Fuzzy Hash: 64F0A7FB60C110AE7102AD513A15AFB676CD5DA73477088EBF442D6502F5491D6E3131

Function 04BD0108 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2973367528.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bd0000_90ZF1EDs9h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b19a59ae1d0870deffad71bd599e36bbf685ad0012716216d99d6facf2bd808
Instruction ID: 1c68061c6648d4d97a5e4a3f4f01fa377a6a531cf2522f627627d4897302ac2b
Opcode Fuzzy Hash: 9b19a59ae1d0870deffad71bd599e36bbf685ad0012716216d99d6facf2bd808
Instruction Fuzzy Hash: BEF0A7EB60C110AE600269512A149FB676CD9DA735771C9EBF402D7102F5495D5D2131

Non-executed Functions

Function 000947BF Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 000949D6

Strings

1#QNAN, xrefs: 000948D2
1#SNAN, xrefs: 000948CB
1#IND, xrefs: 000948C4
1#INF, xrefs: 000948F5

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 3b82a91966ee1018f4dad71e857d2622c9ac3e228bdc55a3172021adbfe4d0fa
Instruction ID: 03c1c9055329f167a4407b10f12136301dc2d3042ff86f0f9278597c39095cbe
Opcode Fuzzy Hash: 3b82a91966ee1018f4dad71e857d2622c9ac3e228bdc55a3172021adbfe4d0fa
Instruction Fuzzy Hash: E7D22671E086298FDF65CE28DC40BEAB7B5EB44305F1441EAD84DE7240EB78AE859F41

Function 0007C960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction ID: 5456ebcf850de1b373410f4cf02f2de111d1e694bc3bf137b0383f033b2f0c0c
Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction Fuzzy Hash: 65021C71E012199BEF14CFA9D880AAEBBF1FF48314F24826DE919A7341D735AD418B94

Function 0007361D Relevance: 1.5, APIs: 1, Instructions: 28timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00073077,?,?,?,?,00107E2F), ref: 00073655

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: 3079bc4bf9d9d8bb398cd04554495aca79f76213428f00b86360193c7694ac58
Instruction ID: 99c046999703a8e1f90a03a6147372f57577ba1418f22d2fc584547274d26343
Opcode Fuzzy Hash: 3079bc4bf9d9d8bb398cd04554495aca79f76213428f00b86360193c7694ac58
Instruction Fuzzy Hash: 76F06572944554FFDB119F54EC41F5DBBE8F709B24F008166E812D7B90DB74AA409AC4

Function 00132FD0 Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd5fda85498f2fdf9c8e6ef95b73943d8fade84a0105c378513a092c0579cc1
Instruction ID: 543476f2604a58859c860bffdff64fa276cc8c4f2ea1295daec95816583655bb
Opcode Fuzzy Hash: abd5fda85498f2fdf9c8e6ef95b73943d8fade84a0105c378513a092c0579cc1
Instruction Fuzzy Hash: 40625DB1E002159FDF19CF59C5846AEBBB1BF48308F2481ADD824AB342D775EA46CF94

Function 0006F580 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b9970b4e61b3a89387c81d03852b8640c12f30169ca405eadcc1892538b820
Instruction ID: 5e7172a505b6f61b34e57b3b9b9d30d6ab73d94904ee927da7835bab8bc67262
Opcode Fuzzy Hash: 80b9970b4e61b3a89387c81d03852b8640c12f30169ca405eadcc1892538b820
Instruction Fuzzy Hash: 8FE10476E1122A9FCB05CFA8D4816ADFBF2FF89324F1941A9D815B7340D670AD45CBA0

Function 0008036F Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fae76d475b7cbcaea4236f3d15fdbaa36b535f795efbd17608e7427fcb31a36
Instruction ID: 383067f62a3052465d8c9e569197d17087f0fa74bc1135640c3b33e5b126f8dd
Opcode Fuzzy Hash: 9fae76d475b7cbcaea4236f3d15fdbaa36b535f795efbd17608e7427fcb31a36
Instruction Fuzzy Hash: FFC10EB0A00A068FDBF4EF68C4946BABBF1BF45310F145619D5D697692D330AD4CCB21

Function 0008DA86 Relevance: .3, Instructions: 270COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f29218e384ce32b867f2d9fa5b50d9c7b5e765c017618b1b17fda3c98999e22
Instruction ID: e873bcfb85b01023bba19ea8cb96c38e013fa5c1827f59d8088bf6adcd852e2d
Opcode Fuzzy Hash: 8f29218e384ce32b867f2d9fa5b50d9c7b5e765c017618b1b17fda3c98999e22
Instruction Fuzzy Hash: 6EB137312106099FD769DF28C48AB657BE0FF45364F29865AE8DACF2E1C335E981CB40

Function 00098BB0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe41a50df89e7edc02f9f33d72f0df6f6b173424ec3e0190a56e931547efd30c
Instruction ID: 8e43e2dd7b4c4d9fcd6e4d3c5077dfc70fe1c59110b96230967a45031578fa82
Opcode Fuzzy Hash: fe41a50df89e7edc02f9f33d72f0df6f6b173424ec3e0190a56e931547efd30c
Instruction Fuzzy Hash: DE81EEB1E052469FDB108F68D895BEEBBF4EB1A300F448169D85997783CB349909E7A0

Function 0012FC40 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ccddb83a97e472c2628f6981debb63efa50d44bb605a1d8c216493510b0a75a
Instruction ID: b6c114dffbede18fb0d93e9cdab3a420a89ab802fca97666b032cdc1122b3c1f
Opcode Fuzzy Hash: 1ccddb83a97e472c2628f6981debb63efa50d44bb605a1d8c216493510b0a75a
Instruction Fuzzy Hash: 366161317245644FE718CF1EECC05767B62A38B30178A422AEA81CB7D5C635EB66C7E0

Function 0007A928 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
Instruction ID: 8c7e37ad817701a4ecfdf31a980029e2e75f244f022fd4b47c941edc9f7e261d
Opcode Fuzzy Hash: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
Instruction Fuzzy Hash: E7516E72E00219AFDF14CF98C940AEEBBF2FF89304F19C459E555AB201D738AA50DB95

Function 04BC04E4 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2973286707.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bc0000_90ZF1EDs9h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cee622ea45581db1f1db5963f9487fc2fa9d8888c3b90c2e02d5f3fce777c1b
Instruction ID: 45b54c91c5df14ac9a44168a4d73b2a9c6c49ce2feff4f97313dcddd2ae50642
Opcode Fuzzy Hash: 3cee622ea45581db1f1db5963f9487fc2fa9d8888c3b90c2e02d5f3fce777c1b
Instruction Fuzzy Hash: 1B11C6B720C150FEB601AA96ABD4DFB7B3DD6C1B30330C46FF802C481AE2A55E4A6171

Function 000771A0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 4de64dd896e446aba8c01a9df5aad5b8e5f7fc70eb11c71bbb0f25c8546bc735
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 0E11B177B0D08143D6A4C63DC8B46B7A7C5EBC63A176DC376D09D4BB08C12ED9029708

Function 04BC0AEF Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2973286707.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4bc0000_90ZF1EDs9h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6621933ca3c18c61a04e619f8163a612ee9cfbcbc7c6c38a56251db61f8f0aba
Instruction ID: 8bd8886ec3a02d3b499924f55629e5bfe2f3604a6e13653502a3a31968d55fd5
Opcode Fuzzy Hash: 6621933ca3c18c61a04e619f8163a612ee9cfbcbc7c6c38a56251db61f8f0aba
Instruction Fuzzy Hash: AFE012BB38C5506D7100E5A5BF989FA671EF5C1775331896BF001C4405F2959D4A55B0

Function 0008BB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0008BBEC

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction ID: 9cd6b95b7b58597d0faf83f6180589e48d491e1d3a7b87330db2a3bd9c77d49c
Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction Fuzzy Hash: 5CB14772A00355AFDB21AF68CC82BEE7BE5FF56310F144165E984AF382E7749901C7A0

Function 000772D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00077307
___except_validate_context_record.LIBVCRUNTIME ref: 0007730F
_ValidateLocalCookies.LIBCMT ref: 00077398
__IsNonwritableInCurrentImage.LIBCMT ref: 000773C3
_ValidateLocalCookies.LIBCMT ref: 00077418

Strings

csm, xrefs: 000773AD

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: eed22010b592fce111b8cba39a00059de87f3d6e2b1e0e80c8f967ff8af492d9
Instruction ID: 697a69c8071daa02f8d9ce46828b627c03974cc8aa3e60360be23554ce91c593
Opcode Fuzzy Hash: eed22010b592fce111b8cba39a00059de87f3d6e2b1e0e80c8f967ff8af492d9
Instruction Fuzzy Hash: 8A41BD30E04209ABCF10DF68C885A9EBBE5AF04358F14C055FD1CAB392DB79EA51DB95

Function 0005A060 Relevance: 9.1, APIs: 6, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0005A09D
std::_Lockit::_Lockit.LIBCPMT ref: 0005A0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 0005A0E7
__Getctype.LIBCPMT ref: 0005A1C5
std::_Facet_Register.LIBCPMT ref: 0005A1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 0005A223

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 14437897a4913d640f5db56aacae3b3d97e4dff9b13e589d8ec573ddae87ae80
Instruction ID: bf0b7afae55023440ab87072205a601c9194a8f9864219fa866d1436b671c8ac
Opcode Fuzzy Hash: 14437897a4913d640f5db56aacae3b3d97e4dff9b13e589d8ec573ddae87ae80
Instruction Fuzzy Hash: 9651B8B0E00249CFCB11CF98C945BAEBBF0FB01714F148259D845AB392DB74AA48CBD2

Function 0005C430 Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0005C45A
std::_Lockit::_Lockit.LIBCPMT ref: 0005C47C
std::_Lockit::~_Lockit.LIBCPMT ref: 0005C4A4
std::_Facet_Register.LIBCPMT ref: 0005C59A
std::_Lockit::~_Lockit.LIBCPMT ref: 0005C5C4

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 4f81cf761cd5611c6be7f3b8845e95a195deacace714abe5081ea8d73c0130c3
Instruction ID: dc1ea0138ef7eddaa3a043d9c0a600ebdc5461496eefa5619482d62c5013e142
Opcode Fuzzy Hash: 4f81cf761cd5611c6be7f3b8845e95a195deacace714abe5081ea8d73c0130c3
Instruction Fuzzy Hash: 73519BB0900248DFEB11DF98D954FAEBBF0FB01314F248199E845AB381D775AE49CB91

Function 00044900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0004499F

Strings

ios_base::eofbit set, xrefs: 00044946
ios_base::badbit set, xrefs: 00044937, 00044962
ios_base::failbit set, xrefs: 00044828, 00044941

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 323602529-1866435925
Opcode ID: c919c5830e561f18423a00d14359f3bce5804e30dfcfa5b20f1c50d3a9ad30b1
Instruction ID: fd02cacb7c1015cd1752d7e9c652b8a34cb2bf144b7c1808629f92a65f6e4554
Opcode Fuzzy Hash: c919c5830e561f18423a00d14359f3bce5804e30dfcfa5b20f1c50d3a9ad30b1
Instruction Fuzzy Hash: 42112CF29086447BC710DE589C02BDA73D8DB05720F448679FE589B2C2EB759D04879A

Function 00072729 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00072730
std::_Lockit::_Lockit.LIBCPMT ref: 0007273B
std::_Lockit::~_Lockit.LIBCPMT ref: 000727A9

Part of subcall function 0007288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 000728A4

std::locale::_Setgloballocale.LIBCPMT ref: 00072756

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 3df8ca8f6dc643cba7a2891739ce94ee820469decf96bd779bfc03e3ec46f563
Instruction ID: ec3ba9859d21eedf7170c8d7ea4e8fd320ce4910c3a32902af7eee768b8adaca
Opcode Fuzzy Hash: 3df8ca8f6dc643cba7a2891739ce94ee820469decf96bd779bfc03e3ec46f563
Instruction Fuzzy Hash: 56018475E012519BD709EB24D8959BD7BB1FF84750B148009E81557392CF38AE82CBDA

Function 00047350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0004750C
___std_exception_destroy.LIBVCRUNTIME ref: 00047522

Strings

[json.exception., xrefs: 000473A1

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 63e856d22b267f616f43e4d23f55a3ec5162342b305727e701dbff9bded53d9b
Instruction ID: 2658031d5a382f19b9ff31f90b8ab69f50ee5463d7b4dfa81d0ce081a6300b4b
Opcode Fuzzy Hash: 63e856d22b267f616f43e4d23f55a3ec5162342b305727e701dbff9bded53d9b
Instruction Fuzzy Hash: 8451E1B0D047489FDB00DFA8C906BDEBBB4EF15314F148269E855A7382E7B95A44C7E2

Function 000447F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0004499F

Strings

ios_base::badbit set, xrefs: 00044937, 00044962
ios_base::failbit set, xrefs: 00044828

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 323602529-1240500531
Opcode ID: 0d88e4ce9b6bccede1a3c5c277c0da90f85be0d627d2671338dc636e7aeaa97b
Instruction ID: 0873a3eb53f8ca494261379237f88d66eb5c4eba5fc4c431c022f55d0bab77ac
Opcode Fuzzy Hash: 0d88e4ce9b6bccede1a3c5c277c0da90f85be0d627d2671338dc636e7aeaa97b
Instruction Fuzzy Hash: 8941F2B1D04248ABCB04DF58CD46BEEBBF8EB09710F14826DF554AB282DB755E00CBA5

Function 00044040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00044061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000440C4

Strings

bad locale name, xrefs: 000440E6

Memory Dump Source

Source File: 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true

Associated: 00000000.00000002.2960358078.0000000000040000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960516340.00000000001C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960835232.00000000001CA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.00000000001CD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.0000000000474000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2960879822.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2962598938.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963017388.000000000062B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2963119638.000000000062D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40000_90ZF1EDs9h.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 2a31141896fedc4966fbeb9f22d510696e15853209f00ee2da82fef864a9bda7
Instruction ID: ca0e99886a6b06fb7d2e42b9a0f9f030faec20fa16ce96fee15ffb8a18d1da8c
Opcode Fuzzy Hash: 2a31141896fedc4966fbeb9f22d510696e15853209f00ee2da82fef864a9bda7
Instruction Fuzzy Hash: 94110370805B84EED321CF68C50478BBFF0AF15714F10868DD49997782C3B95A04CBA5

Analysis Process: MPGPH131.exePID: 7552, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	5.5%
Signature Coverage:	0%
Total number of Nodes:	1906
Total number of Limit Nodes:	45

Executed Functions

Function 04D102F9 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2974457666.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d10000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d001719609cf864dde9a7fb354b28d14f78f542a6acaca77e7235284d780767
Instruction ID: 15db8f43f055c8701d71ad05501dbcb8768bbee814ef72ca958e6cfea6912239
Opcode Fuzzy Hash: 5d001719609cf864dde9a7fb354b28d14f78f542a6acaca77e7235284d780767
Instruction Fuzzy Hash: FA31F8EB388214BE650370867B54AFA6B6EE5D7330330C427FC83D6913E2D59A896071

Function 00257B00 Relevance: 16.8, APIs: 11, Instructions: 284
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(000003EC,0000FFFF,00001006,?,00000008), ref: 00257BA6
recv.WS2_32(?,00000004,00000002), ref: 00257BC1
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00257C43
recv.WS2_32(00000000,0000000C,00000008), ref: 00257C64
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?,00000000), ref: 00257D01

Part of subcall function 00258590: WSAStartup.WS2_32 ref: 002585BA
Part of subcall function 00258590: socket.WS2_32(?,?,?,?,?,?,00319328,?,?), ref: 0025865E
Part of subcall function 00258590: connect.WS2_32(00000000,002E9BFC,?,?,?,?,00319328,?,?), ref: 00258671
Part of subcall function 00258590: closesocket.WS2_32(00000000), ref: 0025867D

recv.WS2_32(00000000,?,00000008), ref: 00257D1B
recv.WS2_32(?,00000004,00000008), ref: 00257E23
__Xtime_get_ticks.LIBCPMT ref: 00257E2A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00257E38
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00257EB1
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00257EB9

Memory Dump Source

Source File: 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000005.00000002.2960355499.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2960518096.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2961275866.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2963200674.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964498464.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964562085.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_MPGPH131.jbxd

Similarity

API ID: recv$Sleepsetsockopt$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsocket
String ID:
API String ID: 301102601-0
Opcode ID: 6f1f7899684a7bca35a5f6a72025869d924439d77e6be33e0bed4182c77debc1
Instruction ID: 4291fb4221242875eb2d85e548a6a437cb780635c3e2b38238754e81c7e368aa
Opcode Fuzzy Hash: 6f1f7899684a7bca35a5f6a72025869d924439d77e6be33e0bed4182c77debc1
Instruction Fuzzy Hash: 01B1DF70D58308DFEB11DFA4DC49BADBBB5BB58300F108259E854AB2D2D7B45D48CB91

Function 00258590 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 002585BA
socket.WS2_32(?,?,?,?,?,?,00319328,?,?), ref: 0025865E
connect.WS2_32(00000000,002E9BFC,?,?,?,?,00319328,?,?), ref: 00258671
closesocket.WS2_32(00000000), ref: 0025867D

Memory Dump Source

Source File: 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000005.00000002.2960355499.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2960518096.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2961275866.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2963200674.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964498464.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964562085.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_MPGPH131.jbxd

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: a3609e51366d8d88dfe4ae23617d1b877dac5b7fa82eaabf8a7c89692ed3d3c4
Instruction ID: e16e3248d58611d67992b3292984a7842e289255bfd6add62496eaf2c48958d3
Opcode Fuzzy Hash: a3609e51366d8d88dfe4ae23617d1b877dac5b7fa82eaabf8a7c89692ed3d3c4
Instruction Fuzzy Hash: B331E4725153015BD7208F248C4462FB7E9EBC9735F105F19F9A8A21D0D7719D1886A7

Function 00199280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,002DD15C,00000000,74D723A0,-00319880), ref: 001996C9

Strings

Ws2_32.dll, xrefs: 0019969A

Memory Dump Source

Source File: 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000005.00000002.2960355499.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2960518096.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2961275866.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2963200674.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964498464.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964562085.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_MPGPH131.jbxd

Similarity

API ID: Send
String ID: Ws2_32.dll
API String ID: 121738739-3093949381
Opcode ID: d447d516765ea995fdcc7b6bcc06ac9756a4c4224173b42c3d62d654d9c4b4fc
Instruction ID: ff32d6d82fad83335568563e99b7fea442f7fe4ef94732419a39e35e4354b5b0
Opcode Fuzzy Hash: d447d516765ea995fdcc7b6bcc06ac9756a4c4224173b42c3d62d654d9c4b4fc
Instruction Fuzzy Hash: 7502BD70D14298DEDF25CFA8C8907ADBBB0EF59314F24428DE4856B286D7741986CF92

Function 04D00998 Relevance: 1.9, APIs: 1, Instructions: 384
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2974366115.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d00000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 5ba091648dcbf68a20959bd7ccc82b774da3ee672b00e606e7ed78e70de746f3
Instruction ID: f14fc4ce2255a13852465f228a9c6c8a740c1e01388f104a24bbcc48f8ed947f
Opcode Fuzzy Hash: 5ba091648dcbf68a20959bd7ccc82b774da3ee672b00e606e7ed78e70de746f3
Instruction Fuzzy Hash: 7581F4EB30D110BDA14381553B54BF66A6EEAD7730330C467F487D7A82F694AE497131

Function 04D00A89 Relevance: 1.8, APIs: 1, Instructions: 319
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C50

Memory Dump Source

Source File: 00000005.00000002.2974366115.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d00000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: e2dae81792af6e7daca4a4de3b8871faf1c5f9ce7b75125c4e2cf65b05eaa387
Instruction ID: c0808fd62a4bb74af8200e8feef227ca822a2ba8797aae42f29add3dd786c52a
Opcode Fuzzy Hash: e2dae81792af6e7daca4a4de3b8871faf1c5f9ce7b75125c4e2cf65b05eaa387
Instruction Fuzzy Hash: 8661F3EB70C210BDA15341513B54BF62A6EEAD7630730C066F487DBBC2F6D4AA8A7131

Function 04D00B2D Relevance: 1.8, APIs: 1, Instructions: 292
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C50

Memory Dump Source

Source File: 00000005.00000002.2974366115.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d00000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 799c8a84a8fbdd2081261a55a87419d05f90d41e89e0d42bf45a344a07d5618e
Instruction ID: 503351ae51758fe6c078a928ab1a341c14a7c6a9c5c85b912cadd4ac2e312616
Opcode Fuzzy Hash: 799c8a84a8fbdd2081261a55a87419d05f90d41e89e0d42bf45a344a07d5618e
Instruction Fuzzy Hash: AE51F2EB70D110BDA15341523B54BF62A6EE6D7630730C067F887DBAC2F6D4AA897031

Function 04D00AF5 Relevance: 1.8, APIs: 1, Instructions: 287
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C50

Memory Dump Source

Source File: 00000005.00000002.2974366115.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d00000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1929bb2bae288bce20f1dd60334913220cc7b1f2adaf34eebe3db4b355846410
Instruction ID: c40895fdf37d264708dcf498cd662b2b1277d0b263a3b247ce47e9ed67e02968
Opcode Fuzzy Hash: 1929bb2bae288bce20f1dd60334913220cc7b1f2adaf34eebe3db4b355846410
Instruction Fuzzy Hash: 1B5113DB70C110BDA15385413B54BF66A6EE6D7230730C067F487DBBC2F684AA897131

Function 04D00AFB Relevance: 1.8, APIs: 1, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C50

Memory Dump Source

Source File: 00000005.00000002.2974366115.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d00000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 28900dd99a5e4e5c72e02ab831ccdd86ecfe848a8690e869e6849d583c5a2519
Instruction ID: 4c8cbe78b2e3228c887440b5f5bda45376fc8b894e9250fae47df3fe63c83166
Opcode Fuzzy Hash: 28900dd99a5e4e5c72e02ab831ccdd86ecfe848a8690e869e6849d583c5a2519
Instruction Fuzzy Hash: C651DFEB70C110BDA15385453B54BF66A6EE6D7230730C067F887DBAC2F694AB8A7131

Function 04D00C05 Relevance: 1.8, APIs: 1, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2974366115.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d00000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1ccd8f12dca989ccb6cf7383f8012fcb7a13586d7e348c856a06abdb4569e37
Instruction ID: 11d4eb4d5b10b5403a915e2bd08b014990a48e8b3ecfd09e7e3f0dc480ed6158
Opcode Fuzzy Hash: d1ccd8f12dca989ccb6cf7383f8012fcb7a13586d7e348c856a06abdb4569e37
Instruction Fuzzy Hash: CF5148E770C150BDA20381557B54BF66F6EEA97230330C06BF487DB6C2F685AA897131

Function 04D00B43 Relevance: 1.8, APIs: 1, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C50

Memory Dump Source

Source File: 00000005.00000002.2974366115.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d00000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 3c7dbc40fb919c43ea19c32ef3c3e9311b28134f9e9c1a17f10f99d08344a229
Instruction ID: 33b47cab2116d4ff1212c791a3fac82e6693c8d093efb52e4a56c11b56f7c4ed
Opcode Fuzzy Hash: 3c7dbc40fb919c43ea19c32ef3c3e9311b28134f9e9c1a17f10f99d08344a229
Instruction Fuzzy Hash: 2D51F1EB70C114BDA15341413B54BF62A6EE6D7230B30C067F887EBBC2F694AA897031

Function 04D00B5D Relevance: 1.8, APIs: 1, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C50

Memory Dump Source

Source File: 00000005.00000002.2974366115.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d00000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: c733ca287ef201fb898c37f415af09eec7bc2305587ecf8564ce787792cd91d6
Instruction ID: 4b896dd6b7600776c8acdfb96801652b1bc170aa01164e6491247d1369625e65
Opcode Fuzzy Hash: c733ca287ef201fb898c37f415af09eec7bc2305587ecf8564ce787792cd91d6
Instruction Fuzzy Hash: 2D51B0EB70D124BDA15345413B54BF66A6EE6D7230730C067F487EBBC2F694AA897031

Function 04D00B87 Relevance: 1.7, APIs: 1, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C50

Memory Dump Source

Source File: 00000005.00000002.2974366115.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d00000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 048fbcae69bf09793411e15aa86504f1f7ea1173a772d3bd1fb35f995522577b
Instruction ID: 5fac316a088297d1940ab2ef7ecbba873a52549b0a6efe1f3fc9d10a6b9c824c
Opcode Fuzzy Hash: 048fbcae69bf09793411e15aa86504f1f7ea1173a772d3bd1fb35f995522577b
Instruction Fuzzy Hash: F851C0EB70D124BDA15341453B54BF66A6EE6D7230730C067F487EBBC2F694AA897031

Function 04D00B92 Relevance: 1.7, APIs: 1, Instructions: 246
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C50

Memory Dump Source

Source File: 00000005.00000002.2974366115.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d00000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 82ff464bb9f83e40b726cfd8ac76e65d6f45b1a2956bd2fe4773e499bb875ab5
Instruction ID: 921ddb7dfff7ce1bfb3e0a472602afd2e6bbf2014d1596cf9287ccc404003322
Opcode Fuzzy Hash: 82ff464bb9f83e40b726cfd8ac76e65d6f45b1a2956bd2fe4773e499bb875ab5
Instruction Fuzzy Hash: 6D51E2EB70C210BDA15385513B54BF62A6EE6D7230730C167F487EBBC2F694AA897131

Function 04D00BBE Relevance: 1.7, APIs: 1, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C50

Memory Dump Source

Source File: 00000005.00000002.2974366115.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d00000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: e0d24ab22712b2742469a5f7a16b419db479c1f1962504a8fd4ba4a5bc9c9482
Instruction ID: 0a66e8a89304004f59f5541152d68f8822e058570353958193877e8c0e9f8618
Opcode Fuzzy Hash: e0d24ab22712b2742469a5f7a16b419db479c1f1962504a8fd4ba4a5bc9c9482
Instruction Fuzzy Hash: 9E41E2EB70D120BDA15341413B54BF66A6EE6D7230730C067F887EBBC2F694AA897031

Function 04D00BE2 Relevance: 1.7, APIs: 1, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C50

Memory Dump Source

Source File: 00000005.00000002.2974366115.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d00000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1b9f98321f166a76b99ab4bf898921fdecec3287989c5aa2aeea44629194a3b8
Instruction ID: 5bc06c572602c6db816a4c25b614022aed8c303867b4e4ad2eeba5707b514542
Opcode Fuzzy Hash: 1b9f98321f166a76b99ab4bf898921fdecec3287989c5aa2aeea44629194a3b8
Instruction Fuzzy Hash: 7B41DFEB70C120BDA15385423B54BF66A6EE6D7230730C06BF487D7B82F694AA897031

Function 04D00BCD Relevance: 1.7, APIs: 1, Instructions: 233COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C50

Memory Dump Source

Source File: 00000005.00000002.2974366115.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d00000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 35b953d38f1b5aa0397d3131941bca12a5a2102dcf57f31ca386ccfa93b35575
Instruction ID: 53a976589657672014b22189276dfe353f84f931e5d990bf273b61b9db80031b
Opcode Fuzzy Hash: 35b953d38f1b5aa0397d3131941bca12a5a2102dcf57f31ca386ccfa93b35575
Instruction Fuzzy Hash: 3641E0EB70D120BDA15385417B54BF62A6EE6D7230730C467F887DBAC2F694AA897031

Function 04D00C87 Relevance: 1.7, APIs: 1, Instructions: 215COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C50

Memory Dump Source

Source File: 00000005.00000002.2974366115.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d00000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 4b94de90284c621ce600336d3faad2e3ac53575a4baa0e42e21df7cf7b21be4e
Instruction ID: 0c97c8a6f09b55a10e25d9c81550dbbe878363c15cded4eb93635a1e49d081d7
Opcode Fuzzy Hash: 4b94de90284c621ce600336d3faad2e3ac53575a4baa0e42e21df7cf7b21be4e
Instruction Fuzzy Hash: 1C41C3EB70D120BDA15381523B54BF61A6EE6D7330730C167F487D7AC2F694AA897131

Function 001D9789 Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001D990E

Memory Dump Source

Source File: 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000005.00000002.2960355499.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2960518096.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2961275866.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2963200674.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964498464.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964562085.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_MPGPH131.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 575e0cf06405d5ae709a9d3db70b863f2db9e05012dee2c29dfc6abd690d42df
Instruction ID: 61b10d519f73381e439c3593c4f66ad2523d390ee68c3e38eb563c488b454dcb
Opcode Fuzzy Hash: 575e0cf06405d5ae709a9d3db70b863f2db9e05012dee2c29dfc6abd690d42df
Instruction Fuzzy Hash: 9061C472D04119BFDF15DFA8C880EEEBBB9AF19308F15014AE904A7346D732D901DBA0

Function 001D8DFF Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,001D8CE6,00000000,?,0030A178,0000000C,001D8DA2,?,?,?), ref: 001D8E55

Memory Dump Source

Source File: 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000005.00000002.2960355499.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2960518096.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2961275866.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2963200674.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964498464.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964562085.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_MPGPH131.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f22c7ffff4bb386eeeadf5f02e643b68fd6a448f0fa2576d2f0cce5bbe4c920f
Instruction ID: d01d7c8ef708482bb846e8bfa13fbd2bdcc120a6986f3cffab03b0ace5325c4f
Opcode Fuzzy Hash: f22c7ffff4bb386eeeadf5f02e643b68fd6a448f0fa2576d2f0cce5bbe4c920f
Instruction Fuzzy Hash: 8B114E337061246AD6293335A841BBE678D4B9273CF290A1FF9188F3C2DF71DC814599

Function 001D251C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,001D2626,?,?,?,?,?), ref: 001D2558

Memory Dump Source

Source File: 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000005.00000002.2960355499.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2960518096.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2961275866.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2963200674.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964498464.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964562085.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_MPGPH131.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 86c4f43d916f647db112ce0037858b8c888244b1a05d8be8a4a7bdf851fc6718
Instruction ID: 57617628cadb9da59016b3a516ba85e7690e88719bfbb6147e8f444760cc677b
Opcode Fuzzy Hash: 86c4f43d916f647db112ce0037858b8c888244b1a05d8be8a4a7bdf851fc6718
Instruction Fuzzy Hash: 5D010432600114ABCF09DF59DC11CDE7B5A9B95320B250109F8119B2A0EB71ED428B90

Function 001932D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0019331F

Memory Dump Source

Source File: 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000005.00000002.2960355499.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2960518096.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2961275866.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2963200674.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964498464.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964562085.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_MPGPH131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction ID: 9a938fad64ebf40b021adcaa69c9ae37b2d8c2f4359c334488802a9686c87024
Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction Fuzzy Hash: AFF09A72140114AADF186FA4E8159EAB3E8EE353A1750096EE8A9C7212EF26DB408790

Function 001DA65A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001,?,001D9FE0,00000001,00000364,00000001,00000006,000000FF,?,001C4B3F,?,?,74D723A0,?), ref: 001DA69B

Memory Dump Source

Source File: 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000005.00000002.2960355499.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2960518096.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2961275866.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2963200674.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964498464.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964562085.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a3ce7ba9c36264ef53e6848143688496e05053dc719ef4e1f3e6a8658efc9d1f
Instruction ID: e3396bd517c7f21b8c0d1ddb14cf0c2436a55897ec0ac0dea9e4806bbb78f30b
Opcode Fuzzy Hash: a3ce7ba9c36264ef53e6848143688496e05053dc719ef4e1f3e6a8658efc9d1f
Instruction Fuzzy Hash: 0FF0E232111520EA9F22EA72DC11BAB3B4DAF41760FAD8123EC04EB380DB34DC0086E7

Function 001DB094 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,001C4B3F,?,?,74D723A0,?,?,00193522,?,?), ref: 001DB0C7

Memory Dump Source

Source File: 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000005.00000002.2960355499.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2960518096.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2961275866.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2963200674.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964498464.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964562085.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5018fbb2dad5e068dbf1336f309079549558df01085d111790af6581d767e998
Instruction ID: dfd0d8e366a4d9b8894b3680df03abb18e66e18d3a5b822b1807bb3a5c002b58
Opcode Fuzzy Hash: 5018fbb2dad5e068dbf1336f309079549558df01085d111790af6581d767e998
Instruction Fuzzy Hash: D0E02B31108220EADB3136699C90B5F766D9F413A0F070213FC26927C0DB30CC0081E5

Function 04D102F1 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2974457666.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d10000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2f01e2b603b8227925f80cd67d26340688740cf22c73145321d24f1f876f80
Instruction ID: 5727de5eb1ec26e823a8918206fc2848fcab461b56778fecc92acb31673766b3
Opcode Fuzzy Hash: ae2f01e2b603b8227925f80cd67d26340688740cf22c73145321d24f1f876f80
Instruction Fuzzy Hash: 7A21B2E7388214BF654360867B54AFA6B5ED6DB730330C026FC83D7A13F2959A892171

Function 04D10322 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2974457666.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d10000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de52576389eff6bcb315b44a3387f523e92ede748481be53adf4ed9324290a57
Instruction ID: 72f83d4d490a6afd8fc6b58346164f359e0ded1fa120088735f8f5e3cd4a09cd
Opcode Fuzzy Hash: de52576389eff6bcb315b44a3387f523e92ede748481be53adf4ed9324290a57
Instruction Fuzzy Hash: 6421A1EB3482547E650360957B54EFA6B5EDACB7303308026FC83D6A13E2898A896171

Function 04D10354 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2974457666.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d10000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a2c27ced50796cab23af267f2b99618c7c45e17cc2d6b097557fbc08143d85
Instruction ID: ad3524ac25cb89def8023ea4893742702ce7c9cc08ce8e93863107bda6f46c2a
Opcode Fuzzy Hash: 57a2c27ced50796cab23af267f2b99618c7c45e17cc2d6b097557fbc08143d85
Instruction Fuzzy Hash: 9511E6EB3481147E750370963F54EFA6B5ED6CA730330C027FC83C6913E2998A896172

Function 04D103E4 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2974457666.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d10000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a088b718c50eba4d57672e86b8027066316aed88d4f7cb377a3d1a07f899d5f4
Instruction ID: 696ff345ab310e1c50ee8a43256057f672f5997f3e3b83f6eace411ba5c01860
Opcode Fuzzy Hash: a088b718c50eba4d57672e86b8027066316aed88d4f7cb377a3d1a07f899d5f4
Instruction Fuzzy Hash: 9F11E6EB3481047F6503B4967B59AFA6B5DDACB3303308127FCC3D6913E1959A896172

Function 04D10376 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2974457666.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d10000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32f85628bc8abfcdd094e72f5eb0834f30adbd10395b4c162e8d564607ecfc72
Instruction ID: 2fbdf7b27041414856749ac77c669563b5774858404a2ff4d1159749546f2d4c
Opcode Fuzzy Hash: 32f85628bc8abfcdd094e72f5eb0834f30adbd10395b4c162e8d564607ecfc72
Instruction Fuzzy Hash: CB1138EB24D2407FB10361953F55AFA6B5DEAD7330330802BF8C3D7A13E1944A856171

Function 04D103AC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2974457666.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d10000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d041883ef189d9c87f09d8d33373038fdb0854e5c87b531dfdfc2b13a2f8a9f
Instruction ID: 2a10860961d1cd3843664ba05e5b5a30f1d486bb0fac88618b6d061c37ef5850
Opcode Fuzzy Hash: 3d041883ef189d9c87f09d8d33373038fdb0854e5c87b531dfdfc2b13a2f8a9f
Instruction Fuzzy Hash: AD01A7EB349110BE714360867B44EFA5B5DE6D7330370C027F883C2913E1948A997171

Function 04D103C8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2974457666.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d10000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246ee1cadf6e5b13c96e8e2d22ff18266108d101889f638e604b612af2dfc9e0
Instruction ID: fd888f8bedaca9a762db801c0f0e22aae06ddd6f85ead579e5623c68f76e2bf2
Opcode Fuzzy Hash: 246ee1cadf6e5b13c96e8e2d22ff18266108d101889f638e604b612af2dfc9e0
Instruction Fuzzy Hash: D40126AB34C210BFE143A0823B58AF9676DE6D7330334C02BF8C3C5513E1889A8D6272

Function 04D10423 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2974457666.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d10000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f9e5411d2b8ad3c61864ef6fec42416994bc55192fb028856ee94a49688d15
Instruction ID: 05b0d727ea4329b1c00fb41aef0647276dd80cbf943caa333fdd25f21f88e6ae
Opcode Fuzzy Hash: 38f9e5411d2b8ad3c61864ef6fec42416994bc55192fb028856ee94a49688d15
Instruction Fuzzy Hash: 23F022EB3890107E6043A0927F88AFA676CD5C73303348427F8C3C1013F1888ACE6171

Function 04D103D7 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2974457666.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d10000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e39667ebbb5cccecace448f12ee26379ce385ae20f486ccb5f7bdaa54360aa6
Instruction ID: d95e66a5fd54f663e62abf24e80ffa0c5221964608d11a46958b0807df11079f
Opcode Fuzzy Hash: 0e39667ebbb5cccecace448f12ee26379ce385ae20f486ccb5f7bdaa54360aa6
Instruction Fuzzy Hash: 3EF090EB349110BE6043A0963B49AFA975DE5DB330374C037F8C3C5513E2888A8E6132

Function 04D10405 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2974457666.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d10000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf43984d852bab900ca7d53761aa91be95ace05124fc94dfadf867105d06f8c
Instruction ID: d857286b51b6ec3010762a4b4eeb41b1b9a9e4717fab9ef9b21b6780f72850ae
Opcode Fuzzy Hash: 5cf43984d852bab900ca7d53761aa91be95ace05124fc94dfadf867105d06f8c
Instruction Fuzzy Hash: 3DF012EB3491107EB042A1967F59BFA975DE5D7331374C437F887C1513E2988A8E6131

Function 04D10441 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2974457666.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d10000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dcbfadb8d042812359222c39410ce906fea3c587d5eaad635aa09c8bcaa995a
Instruction ID: 05a94f3234bcc7c37fabaf3fb95e7d69732b917328fd5f5f9a41e2770b098e6a
Opcode Fuzzy Hash: 6dcbfadb8d042812359222c39410ce906fea3c587d5eaad635aa09c8bcaa995a
Instruction Fuzzy Hash: B0E0265B3491807A8203616835856F56F9A6DE723237840BAFDC1CAA17E049854EA330

Non-executed Functions

Function 001CC960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000005.00000002.2960355499.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2960518096.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2961275866.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2963200674.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964498464.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964562085.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction ID: 27f0dc3dd47f61ba77ccf921b8d0747872099d25bc87f4dda97fa330c784dd36
Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction Fuzzy Hash: 6E021971E012199BDB14CFA9C890BAEBBB1FF58314F24826DE919E7380D731AD41CB94

Function 001DBB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 001DBBEC

Memory Dump Source

Source File: 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000005.00000002.2960355499.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2960518096.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2961275866.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2963200674.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964498464.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964562085.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_MPGPH131.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction ID: 50663312eafb5820b65abbd14ad4ab6c215d965b6876ee8b9d508dc424d69d71
Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction Fuzzy Hash: DDB16632E08695DFDB158F68CCC2BEE7BA5EF69310F164157E906AB382D7749801C7A0

Function 001C72D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 001C7307
___except_validate_context_record.LIBVCRUNTIME ref: 001C730F
_ValidateLocalCookies.LIBCMT ref: 001C7398
__IsNonwritableInCurrentImage.LIBCMT ref: 001C73C3
_ValidateLocalCookies.LIBCMT ref: 001C7418

Strings

csm, xrefs: 001C73AD

Memory Dump Source

Source File: 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000005.00000002.2960355499.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2960518096.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2961275866.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2963200674.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964498464.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964562085.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_MPGPH131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: ac65a7f329f5bd00bc35a4b7d404c1ce5908e3d955e1547b75e9d6e68bcf6263
Instruction ID: 58abb4dd4b351b33951902f6a90f349e2192a7fa1c374b55b4a08cc8b9ffac3e
Opcode Fuzzy Hash: ac65a7f329f5bd00bc35a4b7d404c1ce5908e3d955e1547b75e9d6e68bcf6263
Instruction Fuzzy Hash: FD41A034E04249ABCF14DF68C885F9EBBA5BF64324F148059EC189B392DB71EA01DF91

Function 001AA060 Relevance: 9.1, APIs: 6, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001AA09D
std::_Lockit::_Lockit.LIBCPMT ref: 001AA0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 001AA0E7
__Getctype.LIBCPMT ref: 001AA1C5
std::_Facet_Register.LIBCPMT ref: 001AA1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 001AA223

Memory Dump Source

Source File: 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000005.00000002.2960355499.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2960518096.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2961275866.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2963200674.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964498464.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964562085.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: bc9cc9e601676c6b4b21f0ebf1c299c82444e4d8edf9584006264c34b7f996dd
Instruction ID: 2ffea626b30d328ac3bf93d1ae520ffd7b57dfe8a7070992e3a0c15811bd2104
Opcode Fuzzy Hash: bc9cc9e601676c6b4b21f0ebf1c299c82444e4d8edf9584006264c34b7f996dd
Instruction Fuzzy Hash: A851DAB4D00248DFCB11CF58C941BAEBBF4AF25710F28815DE854AB391EB75AE04CB92

Function 001AC430 Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001AC45A
std::_Lockit::_Lockit.LIBCPMT ref: 001AC47C
std::_Lockit::~_Lockit.LIBCPMT ref: 001AC4A4
std::_Facet_Register.LIBCPMT ref: 001AC59A
std::_Lockit::~_Lockit.LIBCPMT ref: 001AC5C4

Memory Dump Source

Source File: 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000005.00000002.2960355499.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2960518096.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2961275866.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2963200674.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964498464.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964562085.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: d96190c4cd2e722338be58131a39320fbd5b12bec00555f4b179fdfd53b2c7a3
Instruction ID: 664c1004bc02da5abfec0968a4e3eb53a387f1799a585e20dd926a23a072c1f6
Opcode Fuzzy Hash: d96190c4cd2e722338be58131a39320fbd5b12bec00555f4b179fdfd53b2c7a3
Instruction Fuzzy Hash: 0651DBB0900248DFDB12CF58C854BAEBBF4FB26314F24815DE855AB380D771AA05CBD0

Function 00194900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0019499F

Strings

ios_base::failbit set, xrefs: 00194828, 00194941
ios_base::eofbit set, xrefs: 00194946
ios_base::badbit set, xrefs: 00194937, 00194962

Memory Dump Source

Source File: 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000005.00000002.2960355499.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2960518096.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2961275866.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2963200674.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964498464.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964562085.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_MPGPH131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 323602529-1866435925
Opcode ID: d17cb17f824c2ba873af8c42df071e22496943d7707552bb527d29d2cc4a806e
Instruction ID: e399aa6cc94ba60d89ab9b881228e0b6805d9fa69d5b806feed30ee744388dec
Opcode Fuzzy Hash: d17cb17f824c2ba873af8c42df071e22496943d7707552bb527d29d2cc4a806e
Instruction Fuzzy Hash: 4D115972914A48ABCB14DF588C02FAA7398DB19724F08462DFA588B2C1EB35A911C7D2

Function 001C2729 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001C2730
std::_Lockit::_Lockit.LIBCPMT ref: 001C273B
std::_Lockit::~_Lockit.LIBCPMT ref: 001C27A9

Part of subcall function 001C288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 001C28A4

std::locale::_Setgloballocale.LIBCPMT ref: 001C2756

Memory Dump Source

Source File: 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000005.00000002.2960355499.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2960518096.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2961275866.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2963200674.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964498464.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964562085.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_MPGPH131.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 08cb9cd91c81c4ecea6b7384bdb36b0153a2e617cabfba80cdb19d6a8b2a4f83
Instruction ID: 4cec7bb373b569fecb7c56b422d1c8c32cd4f14744d36664055e1c1ad77500c6
Opcode Fuzzy Hash: 08cb9cd91c81c4ecea6b7384bdb36b0153a2e617cabfba80cdb19d6a8b2a4f83
Instruction Fuzzy Hash: 0D01D479A002108BC70AEB20D885A7D77B1BFB9750B18444DE82157381CF74EE02CFD5

Function 00197350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0019750C
___std_exception_destroy.LIBVCRUNTIME ref: 00197522

Strings

[json.exception., xrefs: 001973A1

Memory Dump Source

Source File: 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000005.00000002.2960355499.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2960518096.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2961275866.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2963200674.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964498464.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964562085.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 0c3c2b6850d2a758a1e5cd396362de189af7eabdcab0a77548a7d5c87e896f1c
Instruction ID: 03a24a4de163aa6bab2a21098ea8bb69e012dc7da200ef8ef41eb1029525f81b
Opcode Fuzzy Hash: 0c3c2b6850d2a758a1e5cd396362de189af7eabdcab0a77548a7d5c87e896f1c
Instruction Fuzzy Hash: FC51C1B1C146489FDB00DFA8C905BAEFBF4EF25314F144269E854A7382E7B49A44C7E1

Function 001947F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0019499F

Strings

ios_base::failbit set, xrefs: 00194828
ios_base::badbit set, xrefs: 00194937, 00194962

Memory Dump Source

Source File: 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000005.00000002.2960355499.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2960518096.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2961275866.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2963200674.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964498464.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964562085.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_MPGPH131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 323602529-1240500531
Opcode ID: 489e2cd1f8cfcf8f7aa312c65650e7b83eee281504639bc4e1f2bb0331df1ea8
Instruction ID: ebd4416008110776002eaee5368f9e2f34b50e75521f3353e8388eb94c0f66aa
Opcode Fuzzy Hash: 489e2cd1f8cfcf8f7aa312c65650e7b83eee281504639bc4e1f2bb0331df1ea8
Instruction Fuzzy Hash: 9D41F6B1D04248AFCB04DF98CC45FAEBBB8EB19710F14825DF554AB781D775AA01CBA1

Function 00194040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00194061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001940C4

Strings

bad locale name, xrefs: 001940E6

Memory Dump Source

Source File: 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000005.00000002.2960355499.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2960518096.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2961275866.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2962287913.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2963200674.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964498464.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2964562085.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_MPGPH131.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 253a6eb378c3a017e9fd6111ac7ebb26f850daaf73351ed85e6e143f505618f4
Instruction ID: 19d4d650ea26e29ead6ae31d717b767757b63de6647f8f3765b2c6878af4373c
Opcode Fuzzy Hash: 253a6eb378c3a017e9fd6111ac7ebb26f850daaf73351ed85e6e143f505618f4
Instruction Fuzzy Hash: 18118170805B84EFD721CFA8C504B4BBFE4AF26714F14869DE49597781D3B5AA04C791

Analysis Process: MPGPH131.exePID: 7560, Parent PID: 1044COMMON

Executed Functions

Function 00257B00 Relevance: 16.8, APIs: 11, Instructions: 284
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(000003D8,0000FFFF,00001006,?,00000008), ref: 00257BA7
recv.WS2_32(?,00000004,00000002), ref: 00257BC1
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00257C43
recv.WS2_32(00000000,0000000C,00000008), ref: 00257C64
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?,00000000), ref: 00257D01

Part of subcall function 00258590: WSAStartup.WS2_32 ref: 002585BB
Part of subcall function 00258590: socket.WS2_32(?,?,?,?,?,?,00319328,?,?), ref: 0025865D
Part of subcall function 00258590: connect.WS2_32(00000000,002E9BFC,?,?,?,?,00319328,?,?), ref: 00258672
Part of subcall function 00258590: closesocket.WS2_32(00000000), ref: 0025867D

recv.WS2_32(00000000,?,00000008), ref: 00257D1B
recv.WS2_32(?,00000004,00000008), ref: 00257E23
__Xtime_get_ticks.LIBCPMT ref: 00257E2A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00257E38
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00257EB1
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00257EB9

Memory Dump Source

Source File: 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000006.00000002.2960301741.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2960323258.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961085053.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2963155791.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964449781.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964517557.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_MPGPH131.jbxd

Similarity

API ID: recv$Sleepsetsockopt$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsocket
String ID:
API String ID: 301102601-0
Opcode ID: 624395be71bc457e061a17e4eac4767d8e574364ef31969d78318a8f7692a84f
Instruction ID: a2984d7ac0baa3b02a3521b757a8dee29257be5875ae01efc68bc27c0f569bce
Opcode Fuzzy Hash: 624395be71bc457e061a17e4eac4767d8e574364ef31969d78318a8f7692a84f
Instruction Fuzzy Hash: ADB1DE70D58308DFEB11DFA4DC49BADBBB5BB58300F208259E854AB2D2D7745D48CB91

Function 00258590 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 002585BB
socket.WS2_32(?,?,?,?,?,?,00319328,?,?), ref: 0025865D
connect.WS2_32(00000000,002E9BFC,?,?,?,?,00319328,?,?), ref: 00258672
closesocket.WS2_32(00000000), ref: 0025867D

Memory Dump Source

Source File: 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000006.00000002.2960301741.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2960323258.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961085053.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2963155791.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964449781.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964517557.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_MPGPH131.jbxd

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 389687fc8f83132d045f1df28e422653441d93c46069942d9efa3a94fb66cf63
Instruction ID: 53f8c174e396633f0cbd8048d701d26cc2ef563e0c82e7fa156e144f634edee5
Opcode Fuzzy Hash: 389687fc8f83132d045f1df28e422653441d93c46069942d9efa3a94fb66cf63
Instruction Fuzzy Hash: 7331F5725153015BD7208F248C4466FB7E9FFC9375F004F1AFEA8A21D0E770991886A7

Function 00199280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,002DD15C,00000000,74D723A0,-00319880), ref: 001996C9

Strings

Ws2_32.dll, xrefs: 0019969A

Memory Dump Source

Source File: 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000006.00000002.2960301741.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2960323258.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961085053.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2963155791.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964449781.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964517557.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_MPGPH131.jbxd

Similarity

API ID: Send
String ID: Ws2_32.dll
API String ID: 121738739-3093949381
Opcode ID: c957782b0b56759ea7d2f601c97181c95dc369a9c088b793f4358b55b31edb16
Instruction ID: cf7aa4fa535e96f84edd4bd0f74e32b2d6733a4b0e8513a3814828c131b5b0fe
Opcode Fuzzy Hash: c957782b0b56759ea7d2f601c97181c95dc369a9c088b793f4358b55b31edb16
Instruction Fuzzy Hash: 1C02BC70D14298DEDF25CFA8C8907ADBBB0EF59314F24428DE4856B286D7741A86CF92

Function 04C50000 Relevance: 1.8, APIs: 1, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2973317412.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fcd835c3797e619d7c27664a34000b4f9a16035dd41642bcf42ea4a2980ee9a
Instruction ID: 85e86dc2dc1ba7dbe4b7814adcbeb12c0ee088d1ea73c521a76cee2912181968
Opcode Fuzzy Hash: 9fcd835c3797e619d7c27664a34000b4f9a16035dd41642bcf42ea4a2980ee9a
Instruction Fuzzy Hash: 7761C2EB34C221BDB14285476F54AFF6A6FE6D63307388426BC07D6522F3946AC97039

Function 04C50027 Relevance: 1.8, APIs: 1, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04C50231

Memory Dump Source

Source File: 00000006.00000002.2973317412.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 85108d2f2c71df9cc4a24c9f4ab660c0bf9ddf3d951b90d7cb4f91522eacec9d
Instruction ID: f0426824ce2a85c2fb6f3563565c7ef8ef3bbda1e13f78eb18e869f868fd3dbf
Opcode Fuzzy Hash: 85108d2f2c71df9cc4a24c9f4ab660c0bf9ddf3d951b90d7cb4f91522eacec9d
Instruction Fuzzy Hash: D661C1EB34C121BDB14285476B54AFF6B6FE6D63307388426FC07D6522F3946AC96039

Function 04C50051 Relevance: 1.8, APIs: 1, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2973317412.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8736bd24bfe79bba55e079ca721ca1dcbc3dbb679386a88c635af259c00d4bd1
Instruction ID: 9d10c546e9af6aadfe3f9e4b1c91baba75f479296daf0c6bc4af59ee4d2db9d1
Opcode Fuzzy Hash: 8736bd24bfe79bba55e079ca721ca1dcbc3dbb679386a88c635af259c00d4bd1
Instruction Fuzzy Hash: 3151C0EB34C220BDB10285572B54AFF5B6FE6D63707388426BC07D6522F3946AC97039

Function 04C5003B Relevance: 1.8, APIs: 1, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04C50231

Memory Dump Source

Source File: 00000006.00000002.2973317412.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 698f87f28555b92da5e94c94154359a570ec631321f2271a8f9c14ad968ce8ec
Instruction ID: 1a3d17b185de95269753b16915b99946e82d09f0d058f35771b118094966473e
Opcode Fuzzy Hash: 698f87f28555b92da5e94c94154359a570ec631321f2271a8f9c14ad968ce8ec
Instruction Fuzzy Hash: AB51C1EB34C121BDB10285472B54AFF5B6FE6D63707388426BC07D2522F3946AC96039

Function 04C5000A Relevance: 1.8, APIs: 1, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2973317412.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15188d8f6923d259570423d0487baad5c604e13a739632f6ede1430933b5d32
Instruction ID: 433756bba45a03adcffa8e2e6ad89d8e7566ab4db846265e7007facd46d5a406
Opcode Fuzzy Hash: f15188d8f6923d259570423d0487baad5c604e13a739632f6ede1430933b5d32
Instruction Fuzzy Hash: 8651B0EB34C121BDB20285476B54AFF5B6FE6D63707388426FC07D6522F2946EC96039

Function 04C50074 Relevance: 1.8, APIs: 1, Instructions: 306
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04C50231

Memory Dump Source

Source File: 00000006.00000002.2973317412.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: a32a98e3539f9fcb73c929e4f97c970181ffa2f419af9355e6e9b5780aa7b671
Instruction ID: 97d0eb9f4493390bbad8ad5774197299a868cb42e5b10e3d7f89213c21c87e0a
Opcode Fuzzy Hash: a32a98e3539f9fcb73c929e4f97c970181ffa2f419af9355e6e9b5780aa7b671
Instruction Fuzzy Hash: 0351AFEB34C221BDB20285476B54AFF576FE6D67307388426FC07D6522F3946AC96039

Function 04C500D3 Relevance: 1.8, APIs: 1, Instructions: 295
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04C50231

Memory Dump Source

Source File: 00000006.00000002.2973317412.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: a7dc7820ae40f5649e6306903907023735b14b53572ac509baefa9e3cf83580e
Instruction ID: aac14cbe776c8b151783e5ece8cc783656a5ae1c7bc902256d12727ce9279a64
Opcode Fuzzy Hash: a7dc7820ae40f5649e6306903907023735b14b53572ac509baefa9e3cf83580e
Instruction Fuzzy Hash: FF51BFEB70C221BDB20285532B14AFF5B6FE6D67307388426FC07D5522F3946AC96039

Function 04C500C6 Relevance: 1.8, APIs: 1, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04C50231

Memory Dump Source

Source File: 00000006.00000002.2973317412.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1e64444f3c71873b28ae0fd5c66a8989ac6708790b00bf07c94ba191df937bb8
Instruction ID: f3e65b12a781fe8b6e15a024f0734e65b910d0b7709e82a735a17d54b9a40721
Opcode Fuzzy Hash: 1e64444f3c71873b28ae0fd5c66a8989ac6708790b00bf07c94ba191df937bb8
Instruction Fuzzy Hash: 9A519FEB74C221BDB24285836B14AFF576FE6D67307388426BC07D5522F3946AC97039

Function 04C50137 Relevance: 1.8, APIs: 1, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04C50231

Memory Dump Source

Source File: 00000006.00000002.2973317412.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 0d6452e5890fe0c5168d180d4b3a471c96f4debcf752459e4730213b41f5b7d1
Instruction ID: e0a68cfb87f3b05bea5cb6caf9e1a2dd7a9214b5694c77ff900dceca3a68b4d8
Opcode Fuzzy Hash: 0d6452e5890fe0c5168d180d4b3a471c96f4debcf752459e4730213b41f5b7d1
Instruction Fuzzy Hash: 3A51AFEB74C121BDB10285436B64AFF5B6FE6D67307388826BC07D5522F3945ACA6039

Function 04C500FF Relevance: 1.8, APIs: 1, Instructions: 275
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04C50231

Memory Dump Source

Source File: 00000006.00000002.2973317412.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 32cce674c1feaac9e4d53ad9e31bde862cc89bd583a2a1ec04dc1d67d663aec1
Instruction ID: cbd8a5379dc0d8d3aae820ff76cb1b90f07573b47679b6d3fee54c4e2d9950d0
Opcode Fuzzy Hash: 32cce674c1feaac9e4d53ad9e31bde862cc89bd583a2a1ec04dc1d67d663aec1
Instruction Fuzzy Hash: 8551D1EB74C121BDB10285436B14AFF576FE6D67307388826FC07D5522F3845ACA6039

Function 04C5011C Relevance: 1.8, APIs: 1, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04C50231

Memory Dump Source

Source File: 00000006.00000002.2973317412.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b87e8c3db20e7fd8ba56ce6b51c12318cf2b2570baa1c2031f475150e0fc4d12
Instruction ID: 1874a09876bffcd36efabf056aa638a9f4d8c25991326e8351b5a530a9d48762
Opcode Fuzzy Hash: b87e8c3db20e7fd8ba56ce6b51c12318cf2b2570baa1c2031f475150e0fc4d12
Instruction Fuzzy Hash: 94519DEB74C221BEB10285436F14AFF676FE6D67307388426BC07D5522F3946ACA6039

Function 04C50147 Relevance: 1.8, APIs: 1, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04C50231

Memory Dump Source

Source File: 00000006.00000002.2973317412.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: ca65c367cbd83bd5b31ae893c64106a4377e870894386400a7cb8a5f293c81a9
Instruction ID: 25f4aa89deefea6dd9052965c6155a533b463f9cd3963daa033a1e41c2338ed4
Opcode Fuzzy Hash: ca65c367cbd83bd5b31ae893c64106a4377e870894386400a7cb8a5f293c81a9
Instruction Fuzzy Hash: AE51B0EB74C120BDB20285472B54AFF576FE6D67307388826FC07D6522F3945ACA6139

Function 04C5016E Relevance: 1.8, APIs: 1, Instructions: 254COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04C50231

Memory Dump Source

Source File: 00000006.00000002.2973317412.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 926da158d3552fd46dfacff67bbc3b4505038582eda2d6bb6153b507a9c8f747
Instruction ID: 55507b41d97f1dab0ce33cb689e0b3aba3cda3e98ba38dea3ad7527e5450e9c1
Opcode Fuzzy Hash: 926da158d3552fd46dfacff67bbc3b4505038582eda2d6bb6153b507a9c8f747
Instruction Fuzzy Hash: ED519DEB74C121BEB20285572F14AFF676FE6D67307388426BC07D2522F3945ACA6039

Function 04C5018C Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04C50231

Memory Dump Source

Source File: 00000006.00000002.2973317412.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 57fc414d6ca993e630cc12f5a3ae5af4fc5ec332cb25243be7bc60ff3a93ae3a
Instruction ID: 78465b166253c894f75c6e30b3fc411ba8a1aa66db6f121c323789f36021b04f
Opcode Fuzzy Hash: 57fc414d6ca993e630cc12f5a3ae5af4fc5ec332cb25243be7bc60ff3a93ae3a
Instruction Fuzzy Hash: 68419CEB34C120BDB10285932F14AFE676FE6D67307388826FC07D1522F3946ACA6039

Function 04C501AC Relevance: 1.7, APIs: 1, Instructions: 238COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04C50231

Memory Dump Source

Source File: 00000006.00000002.2973317412.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: a3df37296005b5b0944431638c2afb40b19cb8b6cfb61fe801202866590de9c2
Instruction ID: c7613971162e06b2a28bb79a41682b7e2d3e7429528ac365962eefb7c8911c1d
Opcode Fuzzy Hash: a3df37296005b5b0944431638c2afb40b19cb8b6cfb61fe801202866590de9c2
Instruction Fuzzy Hash: B0416EEB34C120BDB14285972F24AFE576FE6D67307388426FC07D5522F3945AC96039

Function 04C501CE Relevance: 1.7, APIs: 1, Instructions: 223COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04C50231

Memory Dump Source

Source File: 00000006.00000002.2973317412.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: c3f6a7478e52115612c3f10d1f4695b48afd3f5479966361c1a4b3fade86eef5
Instruction ID: 4b59b6c960a1d07150e89461fca1c946e1a6c101a07f3553435b4fb18170b03c
Opcode Fuzzy Hash: c3f6a7478e52115612c3f10d1f4695b48afd3f5479966361c1a4b3fade86eef5
Instruction Fuzzy Hash: B041A2EB74C120BEB14285572B14AFE576FE6D67307388426FC07D1522F3945AC96039

Function 04C501E5 Relevance: 1.7, APIs: 1, Instructions: 218COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04C50231

Memory Dump Source

Source File: 00000006.00000002.2973317412.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 8c93a7ece5be7aa056f8a6c5db668e7ebd73b52ee496b1163fe80f8987a21640
Instruction ID: 26f456163dddaafd26e255634ecfd03e11f6cc904332770a1ab04be83a9d7d16
Opcode Fuzzy Hash: 8c93a7ece5be7aa056f8a6c5db668e7ebd73b52ee496b1163fe80f8987a21640
Instruction Fuzzy Hash: 4841C5EB74C110BEB14281572F24AFE6B6FE6D67307388426FC07D6522F3945AC96039

Function 04C50254 Relevance: 1.7, APIs: 1, Instructions: 215COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04C50231

Memory Dump Source

Source File: 00000006.00000002.2973317412.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 9b72e5b454a92e9b917563d6e7a2b533ae25c224ea2d95ec6dddad80673c7002
Instruction ID: 11c7eecb46cfb94cdf3184da7b70a8eef064eba2968b562789cb26d56636bb00
Opcode Fuzzy Hash: 9b72e5b454a92e9b917563d6e7a2b533ae25c224ea2d95ec6dddad80673c7002
Instruction Fuzzy Hash: 1741B1EB74C120BEB14281972B14AFE5B6FE6D67307388422BC07D5522F3945AC97039

Function 04C50225 Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04C50231

Memory Dump Source

Source File: 00000006.00000002.2973317412.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 7d46c6f96bad658e5692eb0b1892908cc7e7ad080bc86ea12e2e66794d7ec6ef
Instruction ID: 96a0c6f8295771cb3527e935eb935213cc3377bd96c5c6bc27ebb79cec661867
Opcode Fuzzy Hash: 7d46c6f96bad658e5692eb0b1892908cc7e7ad080bc86ea12e2e66794d7ec6ef
Instruction Fuzzy Hash: 1D419EEB34C120BEB54285972B14AFE6B6FE6D67307388426FC07D6522F3945AC96039

Function 001D9789 Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001D990E

Memory Dump Source

Source File: 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000006.00000002.2960301741.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2960323258.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961085053.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2963155791.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964449781.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964517557.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_MPGPH131.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 61dd991c2deaa1b8eea7bc2378ec7afd5a462a98d4428d2064ab239692b8c03e
Instruction ID: b20d86af326a0cdfae9f095767f630773a36a8619b5f1d2d6b3df2001581b2a5
Opcode Fuzzy Hash: 61dd991c2deaa1b8eea7bc2378ec7afd5a462a98d4428d2064ab239692b8c03e
Instruction Fuzzy Hash: 5261B472D04119BFDF15DFA8C880EEEBBB9AF19308F14018AE904A7346D732D901DBA0

Function 001D8DFF Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,001D8CE6,00000000,?,0030A178,0000000C,001D8DA2,?,?,?), ref: 001D8E55

Memory Dump Source

Source File: 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000006.00000002.2960301741.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2960323258.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961085053.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2963155791.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964449781.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964517557.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_MPGPH131.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4135fd90e1334349a08d4fca327b4cbf925c9f66aa5043ad80cd6a0e638242e5
Instruction ID: af2f94ec8ad903e2ab82810af4c0a53c278020e0bce513698ebe8c3b8a6944d3
Opcode Fuzzy Hash: 4135fd90e1334349a08d4fca327b4cbf925c9f66aa5043ad80cd6a0e638242e5
Instruction Fuzzy Hash: B4114E3360612069D62933389841BBE678D4B92738F39065FF9189F3C2DF61DC814595

Function 001D251C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,001D2626,?,?,?,?,?), ref: 001D2558

Memory Dump Source

Source File: 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000006.00000002.2960301741.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2960323258.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961085053.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2963155791.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964449781.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964517557.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_MPGPH131.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 8d14e757dd7dd64ebf03629d5992cfea73bba0a82f6a0bee8faf105d640e92f0
Instruction ID: 85806d0ca5df745b1c86d008416914374319fd61bc78ed0233a78caa4547a402
Opcode Fuzzy Hash: 8d14e757dd7dd64ebf03629d5992cfea73bba0a82f6a0bee8faf105d640e92f0
Instruction Fuzzy Hash: 93012632710104AFDF09DF19DC11CDE7B5ADB95330B240149F8119B3A1E771ED428B90

Function 001932D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0019331F

Memory Dump Source

Source File: 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000006.00000002.2960301741.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2960323258.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961085053.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2963155791.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964449781.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964517557.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_MPGPH131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction ID: 9a938fad64ebf40b021adcaa69c9ae37b2d8c2f4359c334488802a9686c87024
Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction Fuzzy Hash: AFF09A72140114AADF186FA4E8159EAB3E8EE353A1750096EE8A9C7212EF26DB408790

Function 001DA65A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001,?,001D9FE0,00000001,00000364,00000001,00000006,000000FF,?,001C4B3F,?,?,74D723A0,?), ref: 001DA69C

Memory Dump Source

Source File: 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000006.00000002.2960301741.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2960323258.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961085053.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2963155791.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964449781.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964517557.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bce1902c95caa2262a5829939a512512eb8b836beac50f788a8e1a3ff0f34c04
Instruction ID: 16275f13c606c0fba3abb1954581328fa33858020486986dbd1737da9ea7d26e
Opcode Fuzzy Hash: bce1902c95caa2262a5829939a512512eb8b836beac50f788a8e1a3ff0f34c04
Instruction Fuzzy Hash: DCF08232511625EA9F22EA769C25BAB3B5DAF51760F9D8113FC04EB380DB34DC0086E6

Function 001DB094 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,001C4B3F,?,?,74D723A0,?,?,00193522,?,?), ref: 001DB0C6

Memory Dump Source

Source File: 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000006.00000002.2960301741.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2960323258.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961085053.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2963155791.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964449781.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964517557.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8da2479887605d9b561bff288e2efcef68a9a98000d084d1d994bb1854b11a65
Instruction ID: 435775c4d127634cdd608ef4b87ebdd08bcec15c77d1862dd40c37df957efbed
Opcode Fuzzy Hash: 8da2479887605d9b561bff288e2efcef68a9a98000d084d1d994bb1854b11a65
Instruction Fuzzy Hash: B2E09B32149620E6DB3136699C51B5F766D9F413A0F574213FC26A77D1DB74CC1081E5

Non-executed Functions

Function 001CC960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000006.00000002.2960301741.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2960323258.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961085053.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2963155791.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964449781.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964517557.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction ID: 27f0dc3dd47f61ba77ccf921b8d0747872099d25bc87f4dda97fa330c784dd36
Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction Fuzzy Hash: 6E021971E012199BDB14CFA9C890BAEBBB1FF58314F24826DE919E7380D731AD41CB94

Function 001DBB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 001DBBEC

Memory Dump Source

Source File: 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000006.00000002.2960301741.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2960323258.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961085053.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2963155791.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964449781.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964517557.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_MPGPH131.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction ID: 50663312eafb5820b65abbd14ad4ab6c215d965b6876ee8b9d508dc424d69d71
Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction Fuzzy Hash: DDB16632E08695DFDB158F68CCC2BEE7BA5EF69310F164157E906AB382D7749801C7A0

Function 001C72D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 001C7307
___except_validate_context_record.LIBVCRUNTIME ref: 001C730F
_ValidateLocalCookies.LIBCMT ref: 001C7398
__IsNonwritableInCurrentImage.LIBCMT ref: 001C73C3
_ValidateLocalCookies.LIBCMT ref: 001C7418

Strings

csm, xrefs: 001C73AD

Memory Dump Source

Source File: 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000006.00000002.2960301741.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2960323258.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961085053.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2963155791.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964449781.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964517557.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_MPGPH131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: ac65a7f329f5bd00bc35a4b7d404c1ce5908e3d955e1547b75e9d6e68bcf6263
Instruction ID: 58abb4dd4b351b33951902f6a90f349e2192a7fa1c374b55b4a08cc8b9ffac3e
Opcode Fuzzy Hash: ac65a7f329f5bd00bc35a4b7d404c1ce5908e3d955e1547b75e9d6e68bcf6263
Instruction Fuzzy Hash: FD41A034E04249ABCF14DF68C885F9EBBA5BF64324F148059EC189B392DB71EA01DF91

Function 001AA060 Relevance: 9.1, APIs: 6, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001AA09D
std::_Lockit::_Lockit.LIBCPMT ref: 001AA0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 001AA0E7
__Getctype.LIBCPMT ref: 001AA1C5
std::_Facet_Register.LIBCPMT ref: 001AA1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 001AA223

Memory Dump Source

Source File: 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000006.00000002.2960301741.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2960323258.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961085053.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2963155791.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964449781.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964517557.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: bc9cc9e601676c6b4b21f0ebf1c299c82444e4d8edf9584006264c34b7f996dd
Instruction ID: 2ffea626b30d328ac3bf93d1ae520ffd7b57dfe8a7070992e3a0c15811bd2104
Opcode Fuzzy Hash: bc9cc9e601676c6b4b21f0ebf1c299c82444e4d8edf9584006264c34b7f996dd
Instruction Fuzzy Hash: A851DAB4D00248DFCB11CF58C941BAEBBF4AF25710F28815DE854AB391EB75AE04CB92

Function 001AC430 Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001AC45A
std::_Lockit::_Lockit.LIBCPMT ref: 001AC47C
std::_Lockit::~_Lockit.LIBCPMT ref: 001AC4A4
std::_Facet_Register.LIBCPMT ref: 001AC59A
std::_Lockit::~_Lockit.LIBCPMT ref: 001AC5C4

Memory Dump Source

Source File: 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000006.00000002.2960301741.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2960323258.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961085053.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2963155791.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964449781.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964517557.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: d96190c4cd2e722338be58131a39320fbd5b12bec00555f4b179fdfd53b2c7a3
Instruction ID: 664c1004bc02da5abfec0968a4e3eb53a387f1799a585e20dd926a23a072c1f6
Opcode Fuzzy Hash: d96190c4cd2e722338be58131a39320fbd5b12bec00555f4b179fdfd53b2c7a3
Instruction Fuzzy Hash: 0651DBB0900248DFDB12CF58C854BAEBBF4FB26314F24815DE855AB380D771AA05CBD0

Function 00194900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0019499F

Strings

ios_base::eofbit set, xrefs: 00194946
ios_base::failbit set, xrefs: 00194828, 00194941
ios_base::badbit set, xrefs: 00194937, 00194962

Memory Dump Source

Source File: 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000006.00000002.2960301741.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2960323258.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961085053.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2963155791.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964449781.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964517557.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_MPGPH131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 323602529-1866435925
Opcode ID: d17cb17f824c2ba873af8c42df071e22496943d7707552bb527d29d2cc4a806e
Instruction ID: e399aa6cc94ba60d89ab9b881228e0b6805d9fa69d5b806feed30ee744388dec
Opcode Fuzzy Hash: d17cb17f824c2ba873af8c42df071e22496943d7707552bb527d29d2cc4a806e
Instruction Fuzzy Hash: 4D115972914A48ABCB14DF588C02FAA7398DB19724F08462DFA588B2C1EB35A911C7D2

Function 001C2729 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001C2730
std::_Lockit::_Lockit.LIBCPMT ref: 001C273B
std::_Lockit::~_Lockit.LIBCPMT ref: 001C27A9

Part of subcall function 001C288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 001C28A4

std::locale::_Setgloballocale.LIBCPMT ref: 001C2756

Memory Dump Source

Source File: 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000006.00000002.2960301741.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2960323258.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961085053.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2963155791.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964449781.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964517557.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_MPGPH131.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 08cb9cd91c81c4ecea6b7384bdb36b0153a2e617cabfba80cdb19d6a8b2a4f83
Instruction ID: 4cec7bb373b569fecb7c56b422d1c8c32cd4f14744d36664055e1c1ad77500c6
Opcode Fuzzy Hash: 08cb9cd91c81c4ecea6b7384bdb36b0153a2e617cabfba80cdb19d6a8b2a4f83
Instruction Fuzzy Hash: 0D01D479A002108BC70AEB20D885A7D77B1BFB9750B18444DE82157381CF74EE02CFD5

Function 00197350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0019750C
___std_exception_destroy.LIBVCRUNTIME ref: 00197522

Strings

[json.exception., xrefs: 001973A1

Memory Dump Source

Source File: 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000006.00000002.2960301741.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2960323258.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961085053.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2963155791.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964449781.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964517557.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 0c3c2b6850d2a758a1e5cd396362de189af7eabdcab0a77548a7d5c87e896f1c
Instruction ID: 03a24a4de163aa6bab2a21098ea8bb69e012dc7da200ef8ef41eb1029525f81b
Opcode Fuzzy Hash: 0c3c2b6850d2a758a1e5cd396362de189af7eabdcab0a77548a7d5c87e896f1c
Instruction Fuzzy Hash: FC51C1B1C146489FDB00DFA8C905BAEFBF4EF25314F144269E854A7382E7B49A44C7E1

Function 001947F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0019499F

Strings

ios_base::failbit set, xrefs: 00194828
ios_base::badbit set, xrefs: 00194937, 00194962

Memory Dump Source

Source File: 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000006.00000002.2960301741.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2960323258.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961085053.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2963155791.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964449781.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964517557.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_MPGPH131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 323602529-1240500531
Opcode ID: 489e2cd1f8cfcf8f7aa312c65650e7b83eee281504639bc4e1f2bb0331df1ea8
Instruction ID: ebd4416008110776002eaee5368f9e2f34b50e75521f3353e8388eb94c0f66aa
Opcode Fuzzy Hash: 489e2cd1f8cfcf8f7aa312c65650e7b83eee281504639bc4e1f2bb0331df1ea8
Instruction Fuzzy Hash: 9D41F6B1D04248AFCB04DF98CC45FAEBBB8EB19710F14825DF554AB781D775AA01CBA1

Function 00194040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00194061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001940C4

Strings

bad locale name, xrefs: 001940E6

Memory Dump Source

Source File: 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, Offset: 00190000, based on PE: true

Associated: 00000006.00000002.2960301741.0000000000190000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2960323258.0000000000315000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961085053.000000000031A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.000000000031D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005C4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2961218867.00000000005DA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2963155791.00000000005DB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964449781.000000000077B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2964517557.000000000077D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_MPGPH131.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 253a6eb378c3a017e9fd6111ac7ebb26f850daaf73351ed85e6e143f505618f4
Instruction ID: 19d4d650ea26e29ead6ae31d717b767757b63de6647f8f3765b2c6878af4373c
Opcode Fuzzy Hash: 253a6eb378c3a017e9fd6111ac7ebb26f850daaf73351ed85e6e143f505618f4
Instruction Fuzzy Hash: 18118170805B84EFD721CFA8C504B4BBFE4AF26714F14869DE49597781D3B5AA04C791

Analysis Process: RageMP131.exePID: 7872, Parent PID: 2580COMMON

Executed Functions

Function 004A7B00 Relevance: 16.8, APIs: 11, Instructions: 284
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(00000404,0000FFFF,00001006,?,00000008), ref: 004A7BA7
recv.WS2_32(?,00000004,00000002), ref: 004A7BC1
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 004A7C43
recv.WS2_32(00000000,0000000C,00000008), ref: 004A7C64
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?,00000000), ref: 004A7D01

Part of subcall function 004A8590: WSAStartup.WS2_32 ref: 004A85BA
Part of subcall function 004A8590: socket.WS2_32(?,?,?,?,?,?,00569328,?,?), ref: 004A865D
Part of subcall function 004A8590: connect.WS2_32(00000000,00539BFC,?,?,?,?,00569328,?,?), ref: 004A8671
Part of subcall function 004A8590: closesocket.WS2_32(00000000), ref: 004A867D

recv.WS2_32(00000000,?,00000008), ref: 004A7D1B
recv.WS2_32(?,00000004,00000008), ref: 004A7E23
__Xtime_get_ticks.LIBCPMT ref: 004A7E2A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004A7E38
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 004A7EB1
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 004A7EB9

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID: recv$Sleepsetsockopt$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsocket
String ID:
API String ID: 301102601-0
Opcode ID: 23b4d3d5403841792f29d6e4ed52ad9155e0bc26d34068bb420b3e5caa6655fe
Instruction ID: e68ca7674752a0852d388c142a40fd27721d5cc1e44d8677166a3cfab5308135
Opcode Fuzzy Hash: 23b4d3d5403841792f29d6e4ed52ad9155e0bc26d34068bb420b3e5caa6655fe
Instruction Fuzzy Hash: 91B1CF70D043089FEB20DBA8CC49BAEBBB5BB65304F104259E454AB2E2D7B45D88DB91

Function 004A8590 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 004A85BA
socket.WS2_32(?,?,?,?,?,?,00569328,?,?), ref: 004A865D
connect.WS2_32(00000000,00539BFC,?,?,?,?,00569328,?,?), ref: 004A8671
closesocket.WS2_32(00000000), ref: 004A867D

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 73d86a58414e999d262a8315df3bf9d8a242cad484aafdb393fe8563f383d10d
Instruction ID: f47beb5b3d69ee4ba010e4bf9c99316da0b02351c6c65cdd2acb182833907309
Opcode Fuzzy Hash: 73d86a58414e999d262a8315df3bf9d8a242cad484aafdb393fe8563f383d10d
Instruction Fuzzy Hash: 9A31E6725053005BE7209F648C44A2BB7E5FBD6738F104F1EF9A4A22D0D7749C1486AB

Function 003E9280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0052D15C,00000000,74D723A0,-00569880), ref: 003E96C9

Strings

Ws2_32.dll, xrefs: 003E969A

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID: Send
String ID: Ws2_32.dll
API String ID: 121738739-3093949381
Opcode ID: 01e7805059a7c888566921afd42c58fe31c6f13c5eed8d8e924d3309e29e3139
Instruction ID: cd48b06d28ca2808f8789daf5ffec60a764cdc534bf8fdfd23293f741d28501e
Opcode Fuzzy Hash: 01e7805059a7c888566921afd42c58fe31c6f13c5eed8d8e924d3309e29e3139
Instruction Fuzzy Hash: 5502CC70D042A8DFDF25CFA5C8907ADBBB0EF55304F24428EE4856B6C6D7741986CB92

Function 04F808A3 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 265
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8ZF6, xrefs: 04F809B7

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID:
String ID: 8ZF6
API String ID: 0-476698926
Opcode ID: 7a3f78d57b01beddd8cddc4d3c5538b9c3243197fe67e62e8a0abd4daf9b1947
Instruction ID: b629801dca7dc7b727bd07ce25240988b5930311bb81cffd1c682ee710cc52fa
Opcode Fuzzy Hash: 7a3f78d57b01beddd8cddc4d3c5538b9c3243197fe67e62e8a0abd4daf9b1947
Instruction Fuzzy Hash: C35104EB34D114BDB142A5856B55AF66B6EE7D37303B2842EF403D9602FAD81A8F3031

Function 04F8087C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 255
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8ZF6, xrefs: 04F809B7

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID:
String ID: 8ZF6
API String ID: 0-476698926
Opcode ID: 5704159c62ba150149f8f095b022edfcb04c3e63ea4c09e28e49b124ae5d6b2c
Instruction ID: e2bc418aa0bea67ff6ed3c90801ff319713c75239e45ed680a7740af1fd4c6d0
Opcode Fuzzy Hash: 5704159c62ba150149f8f095b022edfcb04c3e63ea4c09e28e49b124ae5d6b2c
Instruction Fuzzy Hash: E051F5E734D115BD7142A1856B55AF66B6EE7D73303B2842EF003DD602FAD82A8F2131

Function 04F808E0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8ZF6, xrefs: 04F809B7

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID:
String ID: 8ZF6
API String ID: 0-476698926
Opcode ID: b0e6fd48d86ba299b882aa4be558aae20c50c41a40766540a63179432dc99b01
Instruction ID: 0d3080a2859804af8d12a0cdf86859eea84bd34880bac8195788a0b33b7b4dcf
Opcode Fuzzy Hash: b0e6fd48d86ba299b882aa4be558aae20c50c41a40766540a63179432dc99b01
Instruction Fuzzy Hash: 4251F6E734D115BDB142A5856B51AF66B6EE7D33303B2842EF407D9602FA982A8F2031

Function 04F80892 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(00000ED7), ref: 04F80B5F

Strings

8ZF6, xrefs: 04F809B7

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: 8ZF6
API String ID: 2104809126-476698926
Opcode ID: 7bccb69238b8cfd6a9ff62716a365ab05607563a8d5a9f6e1f4d4f1f92c1363f
Instruction ID: 1922fb7e2f048444cd306ff3f2a7ffc30765b04a9f92ae490ff0eae582fd6774
Opcode Fuzzy Hash: 7bccb69238b8cfd6a9ff62716a365ab05607563a8d5a9f6e1f4d4f1f92c1363f
Instruction Fuzzy Hash: 0441F4EB34D115BD7142A1856B51AF65AAEE7D73303B2842EF403D9602FAD81A8F3131

Function 04F80931 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8ZF6, xrefs: 04F809B7

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID:
String ID: 8ZF6
API String ID: 0-476698926
Opcode ID: 8945a4ac0078198ab3f911fe5e79e2b601e9be6f9c1c5fbc8d293d7f590f3bd6
Instruction ID: 238dc44f1dea5c324d7db912883152156699d27fdc3b5c3c6f7994fb2f243d67
Opcode Fuzzy Hash: 8945a4ac0078198ab3f911fe5e79e2b601e9be6f9c1c5fbc8d293d7f590f3bd6
Instruction Fuzzy Hash: DE410AE734D111BDB142A5855B55AF66A6EF7D33307B2842EF403D9642FA982A4F3031

Function 04F80919 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(00000ED7), ref: 04F80B5F

Strings

8ZF6, xrefs: 04F809B7

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: 8ZF6
API String ID: 2104809126-476698926
Opcode ID: 02116c370f0f3ef825efc7dd2fafbba81bea4be803a26020b7fcd3b0503b3e88
Instruction ID: 52400fe7c495250ec40f04e934301484000507559cf648edde2e5729b6aedf62
Opcode Fuzzy Hash: 02116c370f0f3ef825efc7dd2fafbba81bea4be803a26020b7fcd3b0503b3e88
Instruction Fuzzy Hash: C141F7E734D111BDB142A5856B55AF65A6EE7D37307B2842EF403D9642FAC82A8F3031

Function 04F8090B Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(00000ED7), ref: 04F80B5F

Strings

8ZF6, xrefs: 04F809B7

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: 8ZF6
API String ID: 2104809126-476698926
Opcode ID: 7637713c8656ad772fd0201c39a0c6debae3a007b9a756dca09b015741b8c8f5
Instruction ID: 12429d99c3e528af140eb423e9bd48aa6fae94119568ed903bbbc6d7ed120976
Opcode Fuzzy Hash: 7637713c8656ad772fd0201c39a0c6debae3a007b9a756dca09b015741b8c8f5
Instruction Fuzzy Hash: 334104E734D111BDB142A1856B51EF65A6EE7D33303B2842EF403D9602FA882A8F3032

Function 04F80951 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8ZF6, xrefs: 04F809B7

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID:
String ID: 8ZF6
API String ID: 0-476698926
Opcode ID: 99bd548293d5582193acbfb18b834e6125964eb5d7b98e770dcee7e2ad34742a
Instruction ID: 5feff05ec228e5a23bfb2694c1c44ef4c3992777eed1335348166847f63a2d2a
Opcode Fuzzy Hash: 99bd548293d5582193acbfb18b834e6125964eb5d7b98e770dcee7e2ad34742a
Instruction Fuzzy Hash: 9D4116E734D115BC7142A1866B55EF75A6EE7D33307B2842EF407DA602FA881A8F3032

Function 04F8095A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(00000ED7), ref: 04F80B5F

Strings

8ZF6, xrefs: 04F809B7

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: 8ZF6
API String ID: 2104809126-476698926
Opcode ID: d6d96ccd3a405dde239be5f2691dce955303ac49169ce3b0697e723b9d87bc38
Instruction ID: 178b096534420e36c68feec7faae1a1ec80cb6864592202e4bd499a3b1f4c70c
Opcode Fuzzy Hash: d6d96ccd3a405dde239be5f2691dce955303ac49169ce3b0697e723b9d87bc38
Instruction Fuzzy Hash: 1F41F6E734D111BCB142A5865B55EF65A6EE7E33347B2842EF403D9602FA881A8F3131

Function 04F809D9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8ZF6, xrefs: 04F809B7

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID:
String ID: 8ZF6
API String ID: 0-476698926
Opcode ID: b3fdb932e742fcf976e7c2e98467e291ecded7b46aac9cd9a59cd3fd35b1ef66
Instruction ID: c04d35534010b29be24d725892f84708a65da2a5f86e6089959dd25bc4135c59
Opcode Fuzzy Hash: b3fdb932e742fcf976e7c2e98467e291ecded7b46aac9cd9a59cd3fd35b1ef66
Instruction Fuzzy Hash: C74116E730D111BCB242A5856B55EF65A6EE7D73347B2842EF403D9602FA881A8F3132

Function 04F8098D Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(00000ED7), ref: 04F80B5F

Strings

8ZF6, xrefs: 04F809B7

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: 8ZF6
API String ID: 2104809126-476698926
Opcode ID: 224e1bea2df8e9affd26ad7b03bd50b0cb25abc51bcd550495e28f54f7fb5b66
Instruction ID: 18aa8ac0460da250cb009fc6ee7dd2fbf83c95d3d3e78890353ea362d8b4da54
Opcode Fuzzy Hash: 224e1bea2df8e9affd26ad7b03bd50b0cb25abc51bcd550495e28f54f7fb5b66
Instruction Fuzzy Hash: 963104E770D115BDB242A1856B55AF65AAEE7D73307B2842FF403D9601FA881A8E2132

Function 00429789 Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042990E

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d2e116fdd986dde568c64d4568a90b2dc5e62b66719bc21cb9c6e0fc4e439ad2
Instruction ID: 6d515f79d27d4fe54e006007122da01533c121e3cfb7be18b03f2d8d05e68544
Opcode Fuzzy Hash: d2e116fdd986dde568c64d4568a90b2dc5e62b66719bc21cb9c6e0fc4e439ad2
Instruction Fuzzy Hash: EB61D6B1E04129AEDF11DFA8E840AEF7BB9AF49314F58014AE800A7302D739DD51CB69

Function 04F809C2 Relevance: 1.7, APIs: 1, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4c899e83d039b13883493ffb41e071566202cd0604f78fbaf2b12bdee54986
Instruction ID: c0eb8b0985be9c94f5337c9d14a750c316db5de7021d116ee39325fe69329c28
Opcode Fuzzy Hash: 6e4c899e83d039b13883493ffb41e071566202cd0604f78fbaf2b12bdee54986
Instruction Fuzzy Hash: 9E412AE730D151BCA242A5459B55AF21B6EE7D3330772406EF443DD642FA892A4F6131

Function 04F80A1D Relevance: 1.7, APIs: 1, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4efa93e260ef1126559dc58fc9d4efcc4131a0f3930ff856cc135f35724d4cbd
Instruction ID: d67e60391621f05b6225460e0efdf28cc706d9dbc1c336cd3221db88368f6802
Opcode Fuzzy Hash: 4efa93e260ef1126559dc58fc9d4efcc4131a0f3930ff856cc135f35724d4cbd
Instruction Fuzzy Hash: 413104E734D115BC7242A5859B55EF65AAEE7D73307B2802EF407D9601FAC82A8E3132

Function 04F809F1 Relevance: 1.7, APIs: 1, Instructions: 159COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(00000ED7), ref: 04F80B5F

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 9e1b00a6bfdd0e581431f8c9dfb74a97f756f3a810655bc73fefcced53149585
Instruction ID: 82308bee63250bd0af840f9dddb4de8f3d53c2cc33b550b59e0c6044e6f6aff2
Opcode Fuzzy Hash: 9e1b00a6bfdd0e581431f8c9dfb74a97f756f3a810655bc73fefcced53149585
Instruction Fuzzy Hash: FA3127E730D115BC7242A5859B55EF65A6EF7D33307B2842EF407D9601FA881A8E2031

Function 04F80A0B Relevance: 1.7, APIs: 1, Instructions: 153COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(00000ED7), ref: 04F80B5F

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: fb2851f026d013176cc57c74eb53552b9f0997494ef0c8151d24fb7e225a360f
Instruction ID: 66b9bfcd958d023bce083038921e9c39b8fb0bcfab6385fe6ab703fd077c8f29
Opcode Fuzzy Hash: fb2851f026d013176cc57c74eb53552b9f0997494ef0c8151d24fb7e225a360f
Instruction Fuzzy Hash: FC3108EB34D115BCB142A5856B51EF65A6EE7E73307B2802EF403D9641FAC82A8F2131

Function 04F80A4F Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(00000ED7), ref: 04F80B5F

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 0ca827d6dab7b6a239e4761fe8595e34300e776a98d8d009f35fda9b5636dcf4
Instruction ID: c40f8255d156a96cfb008e704876b12bf04944a6cd69ec5f3812f7259f6eb42e
Opcode Fuzzy Hash: 0ca827d6dab7b6a239e4761fe8595e34300e776a98d8d009f35fda9b5636dcf4
Instruction Fuzzy Hash: E52106E774D115BCB242A5855B51AF666AFF7E73307B2403EB003DA641FBC91A8E2131

Function 04F80AF7 Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(00000ED7), ref: 04F80B5F

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: e9a24204011efcd8bff4102ebe3fef85ce2910ef2d65bbd1a70ea21e297646e5
Instruction ID: 1cb91e4038ad9142cfecb1bf9b524a1222796263ea497bde6312531422dcc010
Opcode Fuzzy Hash: e9a24204011efcd8bff4102ebe3fef85ce2910ef2d65bbd1a70ea21e297646e5
Instruction Fuzzy Hash: 3B21F3E370D115BCF242A5415B51AF65AAEE7E63347B2442EF003CD642FA88268F2132

Function 04F80B28 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(00000ED7), ref: 04F80B5F

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f3f4f5e034e405a9816494191fb4ef270daffa5a4c092840a7cdee6a31c3ef98
Instruction ID: b98a32667fb0085ac9dad9023ecdbc13922b2ed2322ec13f1319ee897972533d
Opcode Fuzzy Hash: f3f4f5e034e405a9816494191fb4ef270daffa5a4c092840a7cdee6a31c3ef98
Instruction Fuzzy Hash: DA1193E764D115BCA28275855B61AF65A5EFBE73343B3405EF403CD241BE892A8F2132

Function 04F80ACB Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(00000ED7), ref: 04F80B5F

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 14d26b8c4d7ca2d8e4cff130032bd877a09040929253232475450d8160557c1e
Instruction ID: e63d7a3b085052011c8f4c72b10fcdb45c13e1915e71f6c1a37ec5efa54cb3d1
Opcode Fuzzy Hash: 14d26b8c4d7ca2d8e4cff130032bd877a09040929253232475450d8160557c1e
Instruction Fuzzy Hash: 4511BFE774D125BC618275811B52EF65A5EF7E73343B2802EB403CA641BE882A8E2172

Function 04F80B4B Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(00000ED7), ref: 04F80B5F

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 746ed48378f344ef0d8577e2d4f5913884021cbc89a6b4c2949b07f123866ce8
Instruction ID: cb2592c8f7d1efba2317849c586723490705fb6efd072e498fc2fa6b1cb4a86f
Opcode Fuzzy Hash: 746ed48378f344ef0d8577e2d4f5913884021cbc89a6b4c2949b07f123866ce8
Instruction Fuzzy Hash: BD11E7E774D1116C724665916B51AF66A5EF7D32383B3846FF403CE141FA886A8F2131

Function 04F80ADE Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(00000ED7), ref: 04F80B5F

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b9904dc0505007e75740a2cac21e92bbb7b58073c8d5626e114ca705a81ee538
Instruction ID: 32db19aa0716085155579c598ec4a58e52d5174f2d3e48b0de92d67cf0574d99
Opcode Fuzzy Hash: b9904dc0505007e75740a2cac21e92bbb7b58073c8d5626e114ca705a81ee538
Instruction Fuzzy Hash: 0111A3E774D125BCB242B5852B51EF65A6EF7E63343B2402EF403C9641FE892A4F2131

Function 04F80B16 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(00000ED7), ref: 04F80B5F

Memory Dump Source

Source File: 00000007.00000002.2974513079.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d887492c4575ec00e11dc34f2201141d680033f2662541eed88acd0d8186b548
Instruction ID: 400f3b1448cf6ed41369bb1929ddcff5784a2a37cb9cb2af6282a04a140e8655
Opcode Fuzzy Hash: d887492c4575ec00e11dc34f2201141d680033f2662541eed88acd0d8186b548
Instruction Fuzzy Hash: CE01A1E774D1117CB246A4816B51AF65A5EF7E22343B2842EF403C9241FA896A8E2131

Function 00428DFF Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00428CE6,00000000,?,0055A178,0000000C,00428DA2,?,?,?), ref: 00428E55

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 945bc596d65e0ab25593887c58db4f2dbceaec68e64f9a227e8758a286691513
Instruction ID: 60811b81567e49a438ef4811a3e800e3eb715f0df9d70350803798ac57d751b6
Opcode Fuzzy Hash: 945bc596d65e0ab25593887c58db4f2dbceaec68e64f9a227e8758a286691513
Instruction Fuzzy Hash: 6B11483370213016D62522367842B7F27494B92738FAA061FF918CB2C2DE6DAC81415D

Function 0042251C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00422626,?,?,?,?,?), ref: 00422558

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 698ee2b92eacc8d0cd85eef32dd1aa25811728ad62f1395678f9e2b42f3154ed
Instruction ID: 0ef52d04ab8d2150f5b70f62e193f8379dcf9cbabccce2cccc8b44b388147d22
Opcode Fuzzy Hash: 698ee2b92eacc8d0cd85eef32dd1aa25811728ad62f1395678f9e2b42f3154ed
Instruction Fuzzy Hash: B10126327105657FCF09CF19EC1189E3B59DB85334B64420AF8109B2A1EAB5ED92CB94

Function 003E32D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 003E331F

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction ID: f8b98b88075d2d4b5673de16b9d3de2ea707dd53297a1e11f4916432b4237e84
Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction Fuzzy Hash: B7F059361001109BCB246F62D4099EAB3E8DF243627500A7FE88CC7292EF2ADA80C7C0

Function 0042A65A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001,?,00429FE0,00000001,00000364,00000001,00000006,000000FF,?,00414B3F,?,?,74D723A0,?), ref: 0042A69B

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7457c6601432358f82ee40ae2728a6bc33fb928b0629c87a2d2609bc6b6fff6a
Instruction ID: 5319a74dd87f8a0d3d4e6bfc27a4be277f5b8287362978d7d70a2dd6f6a09bb3
Opcode Fuzzy Hash: 7457c6601432358f82ee40ae2728a6bc33fb928b0629c87a2d2609bc6b6fff6a
Instruction Fuzzy Hash: 39F02432311130ABDB216A62BC05B1B334CAF41760F9C8157EC84EB280CB38DC2045AE

Function 0042B094 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00414B3F,?,?,74D723A0,?,?,003E3522,?,?), ref: 0042B0C7

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 56a4308f72e2e773c26b4e551322172a43d508ed82648db8fe86b4d3c63a8690
Instruction ID: 828bafd6939f7551dc20332530eaf4ecfa01efacc8ffa330921995ff194ed03d
Opcode Fuzzy Hash: 56a4308f72e2e773c26b4e551322172a43d508ed82648db8fe86b4d3c63a8690
Instruction Fuzzy Hash: 6AE0ED313012326AEA232666BC15B5B7748DF423A0FC90213ED64E22C0DB6CCC0082EE

Function 04F904C6 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2974590215.0000000004F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f128037c47050ee00a2e1e900ad07596e2b638f65623a1bff6c33a26989cd9c
Instruction ID: 772f5be7a75c89c2a750e60af4d7502084f24a821391699688401e9ac7f85431
Opcode Fuzzy Hash: 6f128037c47050ee00a2e1e900ad07596e2b638f65623a1bff6c33a26989cd9c
Instruction Fuzzy Hash: 33F024CB688040BD7853A58D9A00BF77BAEDBC2A343349826F146C6402F985AD47A860

Function 04F904B8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2974590215.0000000004F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac9d94819150fe53a7131716b3cb69a3d1a7b842e4dc3fca1067c728c7a969fa
Instruction ID: 8545db425d698a6746bfe246f9f311653fbe8a5503ad019a073cb4217b4295fb
Opcode Fuzzy Hash: ac9d94819150fe53a7131716b3cb69a3d1a7b842e4dc3fca1067c728c7a969fa
Instruction Fuzzy Hash: 9AE0E5AB248110BE7052A58DA6006F67BFEDAC72703348437F106C7102EA905D0AB631

Non-executed Functions

Function 0041C960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction ID: cbfc449cf2442b255de6347451e99f1171a3ad121806e747b8cfe1b614e3fe9e
Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction Fuzzy Hash: F0022A71E402199BDF14CFA9D9C06EEBBB1FF48314F24826AD919E7340D735A981CB98

Function 003FA060 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 003FA09D
std::_Lockit::_Lockit.LIBCPMT ref: 003FA0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 003FA0E7
__Getctype.LIBCPMT ref: 003FA1C5
std::_Facet_Register.LIBCPMT ref: 003FA1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 003FA223

Strings

E>, xrefs: 003FA1AE
PD>, xrefs: 003FA19A
@c, xrefs: 003FA0AF, 003FA208
PG>, xrefs: 003FA1BF

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: @c$PD>$PG>$E>
API String ID: 1102183713-1092430407
Opcode ID: bb082c7adb6b919f928da73c6886a4ec8593b44cc1c70a810303630e8f89d76f
Instruction ID: c69e4e7eb98d8ab7040c3b558b6887cf82765893059b6bbc8365cfeac07f6639
Opcode Fuzzy Hash: bb082c7adb6b919f928da73c6886a4ec8593b44cc1c70a810303630e8f89d76f
Instruction Fuzzy Hash: AC51CBB0D00649CFCB12CF58D9417AEBBF4BB10314F14825DD849AB381DBB4AE88CB92

Function 004172D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00417307
___except_validate_context_record.LIBVCRUNTIME ref: 0041730F
_ValidateLocalCookies.LIBCMT ref: 00417398
__IsNonwritableInCurrentImage.LIBCMT ref: 004173C3
_ValidateLocalCookies.LIBCMT ref: 00417418

Strings

csm, xrefs: 004173AD
`->, xrefs: 004173DC

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: `->$csm
API String ID: 1170836740-1728804828
Opcode ID: c043c6fa2de01198bbc9f8f779a7a4b850e7f1dba340b1e38ef72583e3d0986f
Instruction ID: 07c8c52506078abc0b61489e1dd418abcac4bafb1d930278b6d6b388f7018ef8
Opcode Fuzzy Hash: c043c6fa2de01198bbc9f8f779a7a4b850e7f1dba340b1e38ef72583e3d0986f
Instruction Fuzzy Hash: F941C634A042199BCF10DF59C885ADEBBB5AF04318F14815AFC149B392DB39DA81DB95

Function 003FC430 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 003FC45A
std::_Lockit::_Lockit.LIBCPMT ref: 003FC47C
std::_Lockit::~_Lockit.LIBCPMT ref: 003FC4A4
std::_Facet_Register.LIBCPMT ref: 003FC59A
std::_Lockit::~_Lockit.LIBCPMT ref: 003FC5C4

Strings

E>, xrefs: 003FC562
PD>, xrefs: 003FC54E

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: E>$PD>
API String ID: 459529453-97385129
Opcode ID: 7f6e8b4fe99ced46bc85cf5e4686343daf684767a82e194e9167e3f44a36bf6b
Instruction ID: 3492fd7c7d05926ade36f58f1ad398ba38e993e82426c6f0a77ece471c9ea8a9
Opcode Fuzzy Hash: 7f6e8b4fe99ced46bc85cf5e4686343daf684767a82e194e9167e3f44a36bf6b
Instruction Fuzzy Hash: 1A51DB70900248DBDB12CF99DA50BAEBBF4FB11314F24815DE845AB381D7B5AE09CB90

Function 0042BB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0042BBEC

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction ID: b72e321d3f6d5d67aeeb02919d18be7adf54166526bfe91b0a390d3b9fe8f9f4
Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction Fuzzy Hash: F3B14532B003659FDB118E24DC82BEFBBA5EF59310F55416BE944AB382D7789801C7E9

Function 00412729 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00412730
std::_Lockit::_Lockit.LIBCPMT ref: 0041273B
std::_Lockit::~_Lockit.LIBCPMT ref: 004127A9

Part of subcall function 0041288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 004128A4

std::locale::_Setgloballocale.LIBCPMT ref: 00412756

Strings

`->, xrefs: 00412778, 0041279C

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID: `->
API String ID: 677527491-1457345910
Opcode ID: 24b659bd5b82bbeca5c7cd7a25cfabecdc0d9f5a5629cf3319d47b4afc8bfd7c
Instruction ID: 3dec5aab2ac03ce3e4c2badf16e5a16401bf6cb26a9454d6adc833208091372b
Opcode Fuzzy Hash: 24b659bd5b82bbeca5c7cd7a25cfabecdc0d9f5a5629cf3319d47b4afc8bfd7c
Instruction Fuzzy Hash: 2001FC35A002109BCB0AAB24D8415BE7BB0BF94754B08050EE81197381CFB8AE96DB89

Function 003E7350 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 003E750C
___std_exception_destroy.LIBVCRUNTIME ref: 003E7522

Strings

[json.exception., xrefs: 003E73A1
)>, xrefs: 003E7502, 003E751C

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )>$[json.exception.
API String ID: 4194217158-421053594
Opcode ID: da9df3443d6c982feb030e59eeafa46a3a2709feb705c61f0c886107177e791c
Instruction ID: 6599f1a14fed2dffd2668f3631baacfcb63c0901fbfbd920b410a0fe4885ea4d
Opcode Fuzzy Hash: da9df3443d6c982feb030e59eeafa46a3a2709feb705c61f0c886107177e791c
Instruction Fuzzy Hash: 0C51DFB1D046889FDB01DFA8C905BAEBBF4EF15314F144259E854AB3C2E7B85A44CBE1

Function 003E4900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 003E499F

Strings

ios_base::badbit set, xrefs: 003E4937, 003E4962
ios_base::eofbit set, xrefs: 003E4946
ios_base::failbit set, xrefs: 003E4828, 003E4941

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 323602529-1866435925
Opcode ID: 022f27686ebb0bea830665f8ca77e2b8b728ef1fdf5e7cfb9f430f6a3de66036
Instruction ID: e0108155942b1716ecbb9a595a2b0022be2a256d6f5becc1a78b776f59b38de4
Opcode Fuzzy Hash: 022f27686ebb0bea830665f8ca77e2b8b728ef1fdf5e7cfb9f430f6a3de66036
Instruction Fuzzy Hash: CC119C72804694ABC711DE299C02BE637DCF709710F04472AFD549B2C2FB35A800C796

Function 003E36E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 003E3819
___std_exception_destroy.LIBVCRUNTIME ref: 003E38F0

Strings

)>, xrefs: 003E37ED, 003E38EA

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: )>
API String ID: 2970364248-1110121906
Opcode ID: 444e03847a8fe4afe798d7392c969e054ec1bf9bc5cdbb2c39a68e0544d8c3bd
Instruction ID: 9e735ac2627b2f6f304f5a277481f85841809954c683130283dc3d6c93ec116a
Opcode Fuzzy Hash: 444e03847a8fe4afe798d7392c969e054ec1bf9bc5cdbb2c39a68e0544d8c3bd
Instruction Fuzzy Hash: B06169B1C04258EFDB11CF98C849B9DFFB4FF19324F14825AE814AB282D7B55A44CBA1

Function 003E47F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 003E499F

Strings

ios_base::badbit set, xrefs: 003E4937, 003E4962
ios_base::failbit set, xrefs: 003E4828

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 323602529-1240500531
Opcode ID: 1bd3847d109f9543bd607e9f8548c36c89da8282289638e539c263d33e83765e
Instruction ID: 55db3f0f3a41efbec10717cf1fa0cb2fbc18634589536c41fc7c78681de11789
Opcode Fuzzy Hash: 1bd3847d109f9543bd607e9f8548c36c89da8282289638e539c263d33e83765e
Instruction Fuzzy Hash: FB4123B1C00298ABCB05DF69D845BAEBBB8FB09710F14835DF454AB2C2D7756A00CBA1

Function 003E4040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 003E4061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003E40C4

Strings

bad locale name, xrefs: 003E40E6

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 72ac13644fce9f1e7c2e17a66e90edf1d3fe0d9c7e3650a2b2b324a6ce242b57
Instruction ID: a189d638d45b9a71b0debd529c327e43c9e462032541aa667d8b6f46390d2de3
Opcode Fuzzy Hash: 72ac13644fce9f1e7c2e17a66e90edf1d3fe0d9c7e3650a2b2b324a6ce242b57
Instruction Fuzzy Hash: 7D110370805B84EED721CF69C50478BBFF0AF15714F10868DD09597B82D3B96A04C791

Function 003F6590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 003F65C9
___std_exception_copy.LIBVCRUNTIME ref: 003F65FC

Strings

)>, xrefs: 003F65BA, 003F65ED

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID: ___std_exception_copy
String ID: )>
API String ID: 2659868963-1110121906
Opcode ID: 8cf3c359dce0db1a9b4cc3a92e756038ac4fa383c77791c670c42fec0b9abf73
Instruction ID: a15d27ecf778d78b18a7bcead0eaf6feeb653572dd4362e5035b282136e9ccb8
Opcode Fuzzy Hash: 8cf3c359dce0db1a9b4cc3a92e756038ac4fa383c77791c670c42fec0b9abf73
Instruction Fuzzy Hash: B11130B5904748EBCB11DF99D980B86FBF8FF09724F10876AF81497641E774A5408BA0

Function 003E7A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 003E7A5C
___std_exception_destroy.LIBVCRUNTIME ref: 003E7A72

Strings

)>, xrefs: 003E7A52, 003E7A6C

Memory Dump Source

Source File: 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000007.00000002.2960341431.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2960594163.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962230714.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2962318691.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964273883.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964697391.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2964768546.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3e0000_RageMP131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )>
API String ID: 4194217158-1110121906
Opcode ID: 6d5944d71b9cbe39469e1dd18e5ad17861c5d33586b31f30fb978a6eea7596a6
Instruction ID: 6a645197ac80297d8d2e281e4e9c9141b3013f91c5cdd7d51eb5076eaa305aca
Opcode Fuzzy Hash: 6d5944d71b9cbe39469e1dd18e5ad17861c5d33586b31f30fb978a6eea7596a6
Instruction Fuzzy Hash: 99F06DB1804748EFC710DF98D90178DBBF8FB06729F50066AE824A3780D3B566048BA1

Analysis Process: RageMP131.exePID: 7132, Parent PID: 2580COMMON

Executed Functions

Function 004A7B00 Relevance: 16.8, APIs: 11, Instructions: 284
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(000003E0,0000FFFF,00001006,?,00000008), ref: 004A7BA6
recv.WS2_32(?,00000004,00000002), ref: 004A7BC1
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 004A7C43
recv.WS2_32(00000000,0000000C,00000008), ref: 004A7C64
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?,00000000), ref: 004A7D01

Part of subcall function 004A8590: WSAStartup.WS2_32 ref: 004A85BA
Part of subcall function 004A8590: socket.WS2_32(?,?,?,?,?,?,00569328,?,?), ref: 004A865E
Part of subcall function 004A8590: connect.WS2_32(00000000,00539BFC,?,?,?,?,00569328,?,?), ref: 004A8671
Part of subcall function 004A8590: closesocket.WS2_32(00000000), ref: 004A867D

recv.WS2_32(00000000,?,00000008), ref: 004A7D1B
recv.WS2_32(?,00000004,00000008), ref: 004A7E23
__Xtime_get_ticks.LIBCPMT ref: 004A7E2A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004A7E38
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 004A7EB1
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 004A7EB9

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: recv$Sleepsetsockopt$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsocket
String ID:
API String ID: 301102601-0
Opcode ID: 2efb60f059abf427376085e3028b96a6e4a5d2e3ca000675154f45c92dad290a
Instruction ID: 398b3229bced26e9f836480b7af389950bf33069aedc93864ea86cbf49513bfa
Opcode Fuzzy Hash: 2efb60f059abf427376085e3028b96a6e4a5d2e3ca000675154f45c92dad290a
Instruction Fuzzy Hash: 89B1C070D04308DFEB20DBA8CD49BAEBBB5BF65314F104259E444AB2E2D7B45D88DB91

Function 004A8590 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 004A85BA
socket.WS2_32(?,?,?,?,?,?,00569328,?,?), ref: 004A865E
connect.WS2_32(00000000,00539BFC,?,?,?,?,00569328,?,?), ref: 004A8671
closesocket.WS2_32(00000000), ref: 004A867D

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 1333f6de6474a841e561420d4abe45b8af20374c81484fc4aee77b0d6ad612e2
Instruction ID: aa04d6e5e1a55c061cee842785c54bc013d56d8c4682543ebc893c59f810b55e
Opcode Fuzzy Hash: 1333f6de6474a841e561420d4abe45b8af20374c81484fc4aee77b0d6ad612e2
Instruction Fuzzy Hash: 7B31E4729053005BE7209F248C44A2BB7E5FBD6738F104F1EF9A8A32D0D7749D1486AB

Function 003E9280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0052D15C,00000000,74D723A0,-00569880), ref: 003E96C9

Strings

Ws2_32.dll, xrefs: 003E969A

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: Send
String ID: Ws2_32.dll
API String ID: 121738739-3093949381
Opcode ID: 390599b1558f39fa4ec0d471925250956efbf639c1b6e7ae82f05572b6528229
Instruction ID: 37c6f719f3dc1e0bb3c79bef24264470d3b189381d22f8c6ac81e7e9c89bfa1e
Opcode Fuzzy Hash: 390599b1558f39fa4ec0d471925250956efbf639c1b6e7ae82f05572b6528229
Instruction Fuzzy Hash: A102CC70D042A8DFDF26CFA5C8907ADBBB0EF55304F24428EE4856B6C6D7741986CB92

Function 04E102A6 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E102F7

Strings

kZXP, xrefs: 04E102B0

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: kZXP
API String ID: 2104809126-3040969424
Opcode ID: b343bd73721059c302d0a0d25861872b623ecc24361bddbbd5bb0c9f99d872c4
Instruction ID: 495eb133e8ec5b593a0fec0e5fc8a25dfedd5d8c61564d80118e8fd63d808ae7
Opcode Fuzzy Hash: b343bd73721059c302d0a0d25861872b623ecc24361bddbbd5bb0c9f99d872c4
Instruction Fuzzy Hash: 90318DFB78C124BEF11281812B54AFB276DE7C6730330A427F803D1966F6946EC96171

Function 04E10000 Relevance: 1.8, APIs: 1, Instructions: 344
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c6bbc32685f916d535d8aa8b4646206dd21aed1fc1ae19b2a61b7bd66264c16
Instruction ID: 27650f3e334cfa7411d15c00f53aa54140a6ad497fc66d869a4714e896a0c650
Opcode Fuzzy Hash: 6c6bbc32685f916d535d8aa8b4646206dd21aed1fc1ae19b2a61b7bd66264c16
Instruction Fuzzy Hash: 90618BFB38C224BDF15285812B54AFB676DE7C6630730A826F407D6922F6982EC97131

Function 04E100D0 Relevance: 1.8, APIs: 1, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E102F7

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 7674f90bc2be8f9970bd9e5d26010e53b76eb7b162c29decf4891cbe1254ba4c
Instruction ID: 9ed25b9d8122a796c602b0d7d05ca9f27b20e0a0bb09410c7256d6cf7e26e32e
Opcode Fuzzy Hash: 7674f90bc2be8f9970bd9e5d26010e53b76eb7b162c29decf4891cbe1254ba4c
Instruction Fuzzy Hash: 615168FB78C224BDF15285812B54AFB676DE3CA730730A426F807D1922F2942EC96031

Function 04E100D2 Relevance: 1.8, APIs: 1, Instructions: 308
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E102F7

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 669c9a4984110e301119de73429673a811d257c8346f0499eb047f16cc105041
Instruction ID: f333940b3ad6b03b8a8856a78d5606e335f6fdbd7fd051fa2972b37c0cfab129
Opcode Fuzzy Hash: 669c9a4984110e301119de73429673a811d257c8346f0499eb047f16cc105041
Instruction Fuzzy Hash: 0D5169FB78C224BDF15285812B54AFB676DE3CA730730A426F807D1922F2942EC97031

Function 04E100EB Relevance: 1.8, APIs: 1, Instructions: 303
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E102F7

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 451e58d67e607ed1c6fdd8a6fbe032984eb21c4bdd2fb0bdf70e5aeaea9aa15e
Instruction ID: d60033c73d6d9780912bc30990952b3fcfa6e97750c57618be2fdaa0bdcb079f
Opcode Fuzzy Hash: 451e58d67e607ed1c6fdd8a6fbe032984eb21c4bdd2fb0bdf70e5aeaea9aa15e
Instruction Fuzzy Hash: 6A5159FB78C224BDF15285812B54AFB676DE7CA730730A526F407D2926F2982EC96131

Function 04E100DE Relevance: 1.8, APIs: 1, Instructions: 303
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E102F7

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 98a1b86ffb8a67fb2ce7b2a153d0266b2f7786a7a2c0576a6e820c27b75aedfc
Instruction ID: 57224705611bad8f1216c285c27d72744c77dffd13838a636827b77961d431f9
Opcode Fuzzy Hash: 98a1b86ffb8a67fb2ce7b2a153d0266b2f7786a7a2c0576a6e820c27b75aedfc
Instruction Fuzzy Hash: 29517AFB78C224BDF15285852B54AFB676DE3CA730730A526F807D2926F2942EC97131

Function 04E10103 Relevance: 1.8, APIs: 1, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E102F7

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: c7050835af2d08163fe220f829b89ad7fc3050e8b232cd09ce4c48148b1e630c
Instruction ID: df3338bd6ceeb92a8c026be4d1a5c27367d9c4db347c717c44169783c8f53660
Opcode Fuzzy Hash: c7050835af2d08163fe220f829b89ad7fc3050e8b232cd09ce4c48148b1e630c
Instruction Fuzzy Hash: A051BFFB78C224BEF11285816B54AFB676DE7C6730730A427F807C2962F2942EC96031

Function 04E100C0 Relevance: 1.8, APIs: 1, Instructions: 292
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee200f04afcfacec8680a726e9fb757a9c43f51bbe40dc42b0f4254e991f9f6
Instruction ID: b1bcba2b8d0879b3c5e308a7c0b7fcccb05b80fb137d085f70519d8ea4721061
Opcode Fuzzy Hash: aee200f04afcfacec8680a726e9fb757a9c43f51bbe40dc42b0f4254e991f9f6
Instruction Fuzzy Hash: 94518BFB78C224BDF15285812B54AFB676DE7C6730730A526F807D2926F6982EC97031

Function 04E10182 Relevance: 1.8, APIs: 1, Instructions: 288
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b178ebb170dc3a1c47c83e048bb6f2619a9618c3ed7ec22c26f75dd0a1f855
Instruction ID: c43ee4dd63a5bfd6d41dd82240a64bd3f61daf42d24f8a4d8d0701b0e2e4146b
Opcode Fuzzy Hash: 50b178ebb170dc3a1c47c83e048bb6f2619a9618c3ed7ec22c26f75dd0a1f855
Instruction Fuzzy Hash: 45517AFB78D224BDF11285822B54AFB676DE7CA730730A527F407C6922F2942EC96131

Function 04E10142 Relevance: 1.8, APIs: 1, Instructions: 263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E102F7

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: a14fed2578ff73ed8ccb3c978e8e67f73f5eeb8962dac14d8ecc4bc5cc39e327
Instruction ID: 7871ea44235498ac2dc76b73c58c2000386e4171506e9ca5744d2e8c5fde011a
Opcode Fuzzy Hash: a14fed2578ff73ed8ccb3c978e8e67f73f5eeb8962dac14d8ecc4bc5cc39e327
Instruction Fuzzy Hash: 05517AFB78C224BDF11285812B54AFB276DE7CA730730A526F407D6966F6942EC97031

Function 04E1015D Relevance: 1.8, APIs: 1, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E102F7

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: a9e1845203bad1145d27afc67b4e0f1c6656a95bcfa3dd19f287d5818bdeb9fc
Instruction ID: e52e4df47f4846b02139f6fd969a493da13dbecbeff7b4beacda051cc4bc62f5
Opcode Fuzzy Hash: a9e1845203bad1145d27afc67b4e0f1c6656a95bcfa3dd19f287d5818bdeb9fc
Instruction Fuzzy Hash: 8F519CFB78C224BDF11285812B54AFB276DE7CA730730A427F807C6962F2942EC96131

Function 04E10152 Relevance: 1.8, APIs: 1, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E102F7

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 872a5bb7350b9b674fb7eaa3596e8eb75731963038e292bbb97b1c2c70440d27
Instruction ID: cb8a2967977795898226ff56bc1dfcf89fd10aaba55f914bebf996a1e9709feb
Opcode Fuzzy Hash: 872a5bb7350b9b674fb7eaa3596e8eb75731963038e292bbb97b1c2c70440d27
Instruction Fuzzy Hash: 1E517BFB78C224BDF15285822B54AFB176DE7C6730730A426F407D1966F6942EC97031

Function 04E101BC Relevance: 1.7, APIs: 1, Instructions: 224COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E102F7

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d58bd1950469a43bcb6984c3babb9091c770d3795c58f98e7e292c112768da00
Instruction ID: 81cb9983bcf165b14e8d72ec7a26f801b2c4f79088a2e0d58cb69c096ad5575b
Opcode Fuzzy Hash: d58bd1950469a43bcb6984c3babb9091c770d3795c58f98e7e292c112768da00
Instruction Fuzzy Hash: 3E418BBB7CC124BEF15281812B54AFB276DE7CA730730A426F807D5966F6942EC9B131

Function 04E10237 Relevance: 1.7, APIs: 1, Instructions: 212COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E102F7

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 3425cd349cab6a0bc7e35526796019afa5ab0deb53973775938e9ef9a3dc7df4
Instruction ID: beb6a315d74458f5e27b5bd750487223de7c74f9164d139bdbce96017f4b3e79
Opcode Fuzzy Hash: 3425cd349cab6a0bc7e35526796019afa5ab0deb53973775938e9ef9a3dc7df4
Instruction Fuzzy Hash: B1419CBB7CC125BEF11281412B54AFB276DE7CA730730A467F807C2962F6942AC9A131

Function 04E10273 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E102F7

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 92bec4a8790932cf30d992177552c9ecb662f3bec46d2ca905213b6b88f9aecb
Instruction ID: 25f83545562ccd78e5cc620eee9882de4764d644654ceaf2602f8aa78cd7209e
Opcode Fuzzy Hash: 92bec4a8790932cf30d992177552c9ecb662f3bec46d2ca905213b6b88f9aecb
Instruction Fuzzy Hash: 6041ACBB78C125BEF11281812B54AFB276DE7DA730330A467F407D6962F6942EC9A131

Function 04E102BB Relevance: 1.7, APIs: 1, Instructions: 202COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E102F7

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: a5ce0cb78752c059e53d16b762151f692c9d39b329061c54809f3e6d34642c24
Instruction ID: 0dbea4378d591cfe07c1e00deca158271018296f5f80236084fbd9b78f8ded7a
Opcode Fuzzy Hash: a5ce0cb78752c059e53d16b762151f692c9d39b329061c54809f3e6d34642c24
Instruction Fuzzy Hash: C2416CBB78D225BDF11281412B64AFB176DE7CA730330A427F407D5962F6942AC96171

Function 04E10213 Relevance: 1.7, APIs: 1, Instructions: 202COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E102F7

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 4365bc3257c9f0e01d0a24a585ae21b5197afd3141571bc10b0a2142ea4b4ae8
Instruction ID: af9073b423f29b7ac462dfb73fcedc1a25e26e62c18f7301b1aecc382fae65f7
Opcode Fuzzy Hash: 4365bc3257c9f0e01d0a24a585ae21b5197afd3141571bc10b0a2142ea4b4ae8
Instruction Fuzzy Hash: B74159FB78C125BEF15281812B54AFB276DE7CA730730A427F807D1966F6946EC9A031

Function 04E10291 Relevance: 1.7, APIs: 1, Instructions: 201COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E102F7

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f77200e5cddcd33f9774d8fd4694941fd1440b89183fb5d6e219d0b00ce9cd63
Instruction ID: 8b5740b71b906443ec6831e0378f9ccfa62f8b9c57586d74a12dc195c7f4db74
Opcode Fuzzy Hash: f77200e5cddcd33f9774d8fd4694941fd1440b89183fb5d6e219d0b00ce9cd63
Instruction Fuzzy Hash: 794188FB78C125BEF16281812B54AFB176DE7CA730730A427F803D5962F6942EC9A131

Function 04E10220 Relevance: 1.7, APIs: 1, Instructions: 200COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E102F7

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1ad8dc8a4405c718c0b98481b36610070897f69cd622bba15007c43f48371e4f
Instruction ID: 77c46a08bc9e200139667dcb814d62e9750302b5e784e9c086f0d0008e8e193b
Opcode Fuzzy Hash: 1ad8dc8a4405c718c0b98481b36610070897f69cd622bba15007c43f48371e4f
Instruction Fuzzy Hash: 8A4188BB78C124BEF15281422B54AFB176DE7DA730330A427F803D2962F6942EC9A131

Function 04E10258 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E102F7

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: ce979cd6e7ec88396967d18dd8e5ccf0abb9f0440c870c40cd91e2c0a5b9b6e3
Instruction ID: 942ab738311fb1162b5b46eac7be90659dc4efb4533b6704b90ebf0a1be03f8e
Opcode Fuzzy Hash: ce979cd6e7ec88396967d18dd8e5ccf0abb9f0440c870c40cd91e2c0a5b9b6e3
Instruction Fuzzy Hash: 28417CFB78C225BEF15281812B54AFB176DE7CA730330A427F803D6966F6942EC96131

Function 00429789 Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042990E

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 426f5bcca505643b634d6c75f5bcd01c36a796f9bcfc9b687adff8b5369fb866
Instruction ID: 07c072895464535d2565700ff311bbcf89ad355805c55a50dd4d6002a87abeac
Opcode Fuzzy Hash: 426f5bcca505643b634d6c75f5bcd01c36a796f9bcfc9b687adff8b5369fb866
Instruction Fuzzy Hash: 9161D7B1E04129BEDF11DFA8E840AEF7BB9AF49314F58014AE900A7302D739DD41CB69

Function 04E102E0 Relevance: 1.7, APIs: 1, Instructions: 188COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E102F7

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 3889c54a8e42021d57c981ad31cfcbc5e566a02db59401615b2438a2344ba3be
Instruction ID: 582a460b4cc9e08cf151fc4ee4168231c534cd4fa3e3dd91b594c4cf4361295b
Opcode Fuzzy Hash: 3889c54a8e42021d57c981ad31cfcbc5e566a02db59401615b2438a2344ba3be
Instruction Fuzzy Hash: 75316BFB78C224BEF11281422B64AFB1B6DE7DA730330A467F407D1962F6942EC96131

Function 04E102D0 Relevance: 1.7, APIs: 1, Instructions: 173COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E102F7

Memory Dump Source

Source File: 00000009.00000002.2972787784.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: badf0006c82efd41452898b24120d3213629b437feaa37c64cd97ff8c15a29d3
Instruction ID: ea1e87891579365a4a6e6cd1b3d7e79e38fc2353de9806eec53c7f3ebaf782e7
Opcode Fuzzy Hash: badf0006c82efd41452898b24120d3213629b437feaa37c64cd97ff8c15a29d3
Instruction Fuzzy Hash: 493180FB78C124AEF11281416B64AFB176DE7CA730330A467F407D5966F6942EC96131

Function 00428DFF Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00428CE6,00000000,?,0055A178,0000000C,00428DA2,?,?,?), ref: 00428E55

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bdd6e7b4d17db7ab205fd2ff36d0e7de70277785690340f189acfb71b434147f
Instruction ID: fe661e84b01a9775aa8a946cf413190c4d8361a221f602fd489e10813ef4653f
Opcode Fuzzy Hash: bdd6e7b4d17db7ab205fd2ff36d0e7de70277785690340f189acfb71b434147f
Instruction Fuzzy Hash: A8116B3370313015D62522367846B7F27498F9273CFAA061FF918CB2C2DE6C9C81415D

Function 0042251C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00422626,?,?,?,?,?), ref: 00422558

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a33d3a796ab2693b5a47cc11c5a39c12157ca7cc49802967bdb5a26846f32b19
Instruction ID: 7a4265a9108302f734fe490bc3423e0c8a63fc739c8ccf158aef261cda05f29e
Opcode Fuzzy Hash: a33d3a796ab2693b5a47cc11c5a39c12157ca7cc49802967bdb5a26846f32b19
Instruction Fuzzy Hash: 00010432700624BFDF098F19EC15C9E3B59DB85324B64420AF8119B2A0E6B5ED81CBA4

Function 003E32D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 003E331F

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction ID: f8b98b88075d2d4b5673de16b9d3de2ea707dd53297a1e11f4916432b4237e84
Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction Fuzzy Hash: B7F059361001109BCB246F62D4099EAB3E8DF243627500A7FE88CC7292EF2ADA80C7C0

Function 0042A65A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001,?,00429FE0,00000001,00000364,00000001,00000006,000000FF,?,00414B3F,?,?,74D723A0,?), ref: 0042A69C

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 961134410aadd9023261633af3efdd71335e8b5201d597a460d13ff4cb0ec11f
Instruction ID: bba0306345b16a82201a1b9da46095f14fdedf695064dca0d2cddc4583974d13
Opcode Fuzzy Hash: 961134410aadd9023261633af3efdd71335e8b5201d597a460d13ff4cb0ec11f
Instruction Fuzzy Hash: D8F02431310131ABDB216A62BC15B2B334CAF41360F8C8157EC84EA280CB38D82045EE

Function 0042B094 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00414B3F,?,?,74D723A0,?,?,003E3522,?,?), ref: 0042B0C6

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4188188d59a9ea47c06a11e59bf05cf63632fbc880d500b6543e11181be31c7b
Instruction ID: b764fde551ee01fc5d23abb7fc7f5f74b96341de92a900efc748e28de272d5df
Opcode Fuzzy Hash: 4188188d59a9ea47c06a11e59bf05cf63632fbc880d500b6543e11181be31c7b
Instruction Fuzzy Hash: 6AE0E5313012315ADA232666BC01B5B7748DF413A0FD50217EC60E22D0CB6CCC0081EE

Function 0042B01A Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00431B48,?,00000000,?,?,00431DE9,?,00000007,?,?,004322DD,?,?), ref: 0042B030

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 9b565035e5bcc02477966bfe576f5bb1e39e0ee6e213240f4a2d014e063ab1b1
Instruction ID: 9d114694fcdd0351bfe53d5a0f7eb68e84bc9a5808f6fb6d62ee3ec84bdc6046
Opcode Fuzzy Hash: 9b565035e5bcc02477966bfe576f5bb1e39e0ee6e213240f4a2d014e063ab1b1
Instruction Fuzzy Hash: 2FE0CD31341234A6DB223B69BC04B9B3759FF55794FE4802AF718575A0CB7C8C5083D8

Non-executed Functions

Function 0041C960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction ID: cbfc449cf2442b255de6347451e99f1171a3ad121806e747b8cfe1b614e3fe9e
Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction Fuzzy Hash: F0022A71E402199BDF14CFA9D9C06EEBBB1FF48314F24826AD919E7340D735A981CB98

Function 003FA060 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 003FA09D
std::_Lockit::_Lockit.LIBCPMT ref: 003FA0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 003FA0E7
__Getctype.LIBCPMT ref: 003FA1C5
std::_Facet_Register.LIBCPMT ref: 003FA1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 003FA223

Strings

PD>, xrefs: 003FA19A
PG>, xrefs: 003FA1BF
E>, xrefs: 003FA1AE

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: PD>$PG>$E>
API String ID: 1102183713-1378281483
Opcode ID: bb082c7adb6b919f928da73c6886a4ec8593b44cc1c70a810303630e8f89d76f
Instruction ID: c69e4e7eb98d8ab7040c3b558b6887cf82765893059b6bbc8365cfeac07f6639
Opcode Fuzzy Hash: bb082c7adb6b919f928da73c6886a4ec8593b44cc1c70a810303630e8f89d76f
Instruction Fuzzy Hash: AC51CBB0D00649CFCB12CF58D9417AEBBF4BB10314F14825DD849AB381DBB4AE88CB92

Function 004172D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00417307
___except_validate_context_record.LIBVCRUNTIME ref: 0041730F
_ValidateLocalCookies.LIBCMT ref: 00417398
__IsNonwritableInCurrentImage.LIBCMT ref: 004173C3
_ValidateLocalCookies.LIBCMT ref: 00417418

Strings

`->, xrefs: 004173DC
csm, xrefs: 004173AD

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: `->$csm
API String ID: 1170836740-1728804828
Opcode ID: c043c6fa2de01198bbc9f8f779a7a4b850e7f1dba340b1e38ef72583e3d0986f
Instruction ID: 07c8c52506078abc0b61489e1dd418abcac4bafb1d930278b6d6b388f7018ef8
Opcode Fuzzy Hash: c043c6fa2de01198bbc9f8f779a7a4b850e7f1dba340b1e38ef72583e3d0986f
Instruction Fuzzy Hash: F941C634A042199BCF10DF59C885ADEBBB5AF04318F14815AFC149B392DB39DA81DB95

Function 003FC430 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 003FC45A
std::_Lockit::_Lockit.LIBCPMT ref: 003FC47C
std::_Lockit::~_Lockit.LIBCPMT ref: 003FC4A4
std::_Facet_Register.LIBCPMT ref: 003FC59A
std::_Lockit::~_Lockit.LIBCPMT ref: 003FC5C4

Strings

E>, xrefs: 003FC562
PD>, xrefs: 003FC54E

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: E>$PD>
API String ID: 459529453-97385129
Opcode ID: 7f6e8b4fe99ced46bc85cf5e4686343daf684767a82e194e9167e3f44a36bf6b
Instruction ID: 3492fd7c7d05926ade36f58f1ad398ba38e993e82426c6f0a77ece471c9ea8a9
Opcode Fuzzy Hash: 7f6e8b4fe99ced46bc85cf5e4686343daf684767a82e194e9167e3f44a36bf6b
Instruction Fuzzy Hash: 1A51DB70900248DBDB12CF99DA50BAEBBF4FB11314F24815DE845AB381D7B5AE09CB90

Function 0042BB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0042BBEC

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction ID: b72e321d3f6d5d67aeeb02919d18be7adf54166526bfe91b0a390d3b9fe8f9f4
Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction Fuzzy Hash: F3B14532B003659FDB118E24DC82BEFBBA5EF59310F55416BE944AB382D7789801C7E9

Function 00412729 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00412730
std::_Lockit::_Lockit.LIBCPMT ref: 0041273B
std::_Lockit::~_Lockit.LIBCPMT ref: 004127A9

Part of subcall function 0041288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 004128A4

std::locale::_Setgloballocale.LIBCPMT ref: 00412756

Strings

`->, xrefs: 00412778, 0041279C

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID: `->
API String ID: 677527491-1457345910
Opcode ID: 24b659bd5b82bbeca5c7cd7a25cfabecdc0d9f5a5629cf3319d47b4afc8bfd7c
Instruction ID: 3dec5aab2ac03ce3e4c2badf16e5a16401bf6cb26a9454d6adc833208091372b
Opcode Fuzzy Hash: 24b659bd5b82bbeca5c7cd7a25cfabecdc0d9f5a5629cf3319d47b4afc8bfd7c
Instruction Fuzzy Hash: 2001FC35A002109BCB0AAB24D8415BE7BB0BF94754B08050EE81197381CFB8AE96DB89

Function 003E7350 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 003E750C
___std_exception_destroy.LIBVCRUNTIME ref: 003E7522

Strings

)>, xrefs: 003E7502, 003E751C
[json.exception., xrefs: 003E73A1

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )>$[json.exception.
API String ID: 4194217158-421053594
Opcode ID: e2e65987962b18ba3fca9558b646c86db83a578528f70abfc285e14e87bf1a4f
Instruction ID: 6599f1a14fed2dffd2668f3631baacfcb63c0901fbfbd920b410a0fe4885ea4d
Opcode Fuzzy Hash: e2e65987962b18ba3fca9558b646c86db83a578528f70abfc285e14e87bf1a4f
Instruction Fuzzy Hash: 0C51DFB1D046889FDB01DFA8C905BAEBBF4EF15314F144259E854AB3C2E7B85A44CBE1

Function 003E4900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 003E499F

Strings

ios_base::badbit set, xrefs: 003E4937, 003E4962
ios_base::eofbit set, xrefs: 003E4946
ios_base::failbit set, xrefs: 003E4828, 003E4941

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 323602529-1866435925
Opcode ID: 022f27686ebb0bea830665f8ca77e2b8b728ef1fdf5e7cfb9f430f6a3de66036
Instruction ID: e0108155942b1716ecbb9a595a2b0022be2a256d6f5becc1a78b776f59b38de4
Opcode Fuzzy Hash: 022f27686ebb0bea830665f8ca77e2b8b728ef1fdf5e7cfb9f430f6a3de66036
Instruction Fuzzy Hash: CC119C72804694ABC711DE299C02BE637DCF709710F04472AFD549B2C2FB35A800C796

Function 003E36E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 003E3819
___std_exception_destroy.LIBVCRUNTIME ref: 003E38F0

Strings

)>, xrefs: 003E37ED, 003E38EA

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: )>
API String ID: 2970364248-1110121906
Opcode ID: d9f0258fa5bd954dc455b523ed24be46ef2f7ad09c5de7b37d6ca442460ee6bf
Instruction ID: 9e735ac2627b2f6f304f5a277481f85841809954c683130283dc3d6c93ec116a
Opcode Fuzzy Hash: d9f0258fa5bd954dc455b523ed24be46ef2f7ad09c5de7b37d6ca442460ee6bf
Instruction Fuzzy Hash: B06169B1C04258EFDB11CF98C849B9DFFB4FF19324F14825AE814AB282D7B55A44CBA1

Function 003E47F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 003E499F

Strings

ios_base::badbit set, xrefs: 003E4937, 003E4962
ios_base::failbit set, xrefs: 003E4828

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 323602529-1240500531
Opcode ID: b54619c6dca8bf9560081ff4ad1d0735ae528e9700e772fc3a79760dd2ce834f
Instruction ID: 55db3f0f3a41efbec10717cf1fa0cb2fbc18634589536c41fc7c78681de11789
Opcode Fuzzy Hash: b54619c6dca8bf9560081ff4ad1d0735ae528e9700e772fc3a79760dd2ce834f
Instruction Fuzzy Hash: FB4123B1C00298ABCB05DF69D845BAEBBB8FB09710F14835DF454AB2C2D7756A00CBA1

Function 003E4040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 003E4061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003E40C4

Strings

bad locale name, xrefs: 003E40E6

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 72ac13644fce9f1e7c2e17a66e90edf1d3fe0d9c7e3650a2b2b324a6ce242b57
Instruction ID: a189d638d45b9a71b0debd529c327e43c9e462032541aa667d8b6f46390d2de3
Opcode Fuzzy Hash: 72ac13644fce9f1e7c2e17a66e90edf1d3fe0d9c7e3650a2b2b324a6ce242b57
Instruction Fuzzy Hash: 7D110370805B84EED721CF69C50478BBFF0AF15714F10868DD09597B82D3B96A04C791

Function 003F6590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 003F65C9
___std_exception_copy.LIBVCRUNTIME ref: 003F65FC

Strings

)>, xrefs: 003F65BA, 003F65ED

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: ___std_exception_copy
String ID: )>
API String ID: 2659868963-1110121906
Opcode ID: 8cf3c359dce0db1a9b4cc3a92e756038ac4fa383c77791c670c42fec0b9abf73
Instruction ID: a15d27ecf778d78b18a7bcead0eaf6feeb653572dd4362e5035b282136e9ccb8
Opcode Fuzzy Hash: 8cf3c359dce0db1a9b4cc3a92e756038ac4fa383c77791c670c42fec0b9abf73
Instruction Fuzzy Hash: B11130B5904748EBCB11DF99D980B86FBF8FF09724F10876AF81497641E774A5408BA0

Function 003E7A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 003E7A5C
___std_exception_destroy.LIBVCRUNTIME ref: 003E7A72

Strings

)>, xrefs: 003E7A52, 003E7A6C

Memory Dump Source

Source File: 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000009.00000002.2960639491.00000000003E0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960668282.0000000000565000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2960949617.000000000056A000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000056D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.00000000007D4000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.0000000000814000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000081C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2961012549.000000000082A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2962813085.000000000082B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964301087.00000000009CB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2964349504.00000000009CD000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3e0000_RageMP131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )>
API String ID: 4194217158-1110121906
Opcode ID: 6d5944d71b9cbe39469e1dd18e5ad17861c5d33586b31f30fb978a6eea7596a6
Instruction ID: 6a645197ac80297d8d2e281e4e9c9141b3013f91c5cdd7d51eb5076eaa305aca
Opcode Fuzzy Hash: 6d5944d71b9cbe39469e1dd18e5ad17861c5d33586b31f30fb978a6eea7596a6
Instruction Fuzzy Hash: 99F06DB1804748EFC710DF98D90178DBBF8FB06729F50066AE824A3780D3B566048BA1

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 90ZF1EDs9h.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Windows Analysis Report
90ZF1EDs9h.exe

Function 00049280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383
networkCOMMON

Function 04BC0728 Relevance: 1.7, APIs: 1, Instructions: 227
COMMON

Function 00107B00 Relevance: 16.8, APIs: 11, Instructions: 284
networksleepCOMMON

Function 00108590 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Function 04BC0770 Relevance: 1.7, APIs: 1, Instructions: 210
COMMON

Function 04BC0759 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Function 00089789 Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Function 04BC078A Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Function 04BC07E9 Relevance: 1.7, APIs: 1, Instructions: 155
COMMON

Function 04BC0890 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Function 04BC0836 Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Function 04BC085D Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre